Bug 1323172 - optional cracklib-dicts
Summary: optional cracklib-dicts
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: base-minimization
TreeView+ depends on / blocked
 
Reported: 2016-04-01 12:40 UTC by Harald Hoyer
Modified: 2017-11-16 07:39 UTC (History)
3 users (show)

Fixed In Version: pam-1.2.1-8.fc25
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-11 15:02:54 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Separate package for password quality plugins (#1323172) (2.48 KB, patch)
2016-04-08 20:17 UTC, Yaakov Selkowitz 		no flags Details | Diff
View All

Description Harald Hoyer 2016-04-01 12:40:51 UTC 
Please try to make cracklib-dicts optional

We are trying to minimize the base container image size and cracklib-dicts is huge (9.5MB).

Is it required by other parts of pam, or only because of libpwquality
?
https://harald.fedorapeople.org/rawhide-20160401-systemd-container/Tree-cracklib-dicts.svg

An option would be to make it a "Recommends" or if it's only because of libpwquality, then remove it completly.
Comment 1 Harald Hoyer 2016-04-01 12:44:00 UTC 
bug 1323175 for libpwquality
Comment 2 Tomas Mraz 2016-04-01 13:50:04 UTC 
It is needed for pam_cracklib as well. Although the module is replaced with pam_pwquality in the default configuration, it is still present and can be manually configured.

We have the bug 865521 for the smaller dictionary alternative unfortunately I did not get to work on that yet.

For it to work seamlessly we would need also a fallback in cracklib from the regular dictionary to the small one. I do not think we want to have them in the same files and the packages to conflict.
Comment 3 Harald Hoyer 2016-04-01 14:18:37 UTC 
Well, generally for tiny containers passwords would not be needed anyway... maybe some pam-passwd splitout?
Comment 4 Yaakov Selkowitz 2016-04-06 15:33:38 UTC 
(In reply to Harald Hoyer from comment #3)
> Well, generally for tiny containers passwords would not be needed anyway...
> maybe some pam-passwd splitout?

Right, breaking out the pam_cracklib and pam_pwquality modules into a subpackage (to be installed in everything but containers) makes the most sense.
Comment 5 Yaakov Selkowitz 2016-04-08 20:17:18 UTC 
Created attachment 1145247 [details]
Separate package for password quality plugins (#1323172)
Comment 6 Tomas Mraz 2016-04-11 07:38:19 UTC 
I am more in favor of making the cracklib dictionary weak dependency than splitting out the modules.
Comment 7 Yaakov Selkowitz 2016-04-11 14:58:57 UTC 
This is insufficient because both pam_cracklib and pam_pwquality have a link dependency on cracklib, which itself still has a hard dependency on cracklib-dicts (and rightfully so IMO).
Comment 8 Tomas Mraz 2016-04-11 15:02:54 UTC 
Nope, there is no Requires: cracklib-dicts on cracklib at all and there was not such requires for a long time.
Comment 9 Harald Hoyer 2016-04-13 13:25:51 UTC 
$ rpm -q --requires pam|fgrep crack
cracklib-dicts >= 2.8
libcrack.so.2()(64bit)
Comment 10 Harald Hoyer 2016-04-13 13:27:44 UTC 
(In reply to Harald Hoyer from comment #9)
> $ rpm -q --requires pam|fgrep crack
> cracklib-dicts >= 2.8
> libcrack.so.2()(64bit)

oops, this was pam-1.2.1-7.fc25 .. not -8
Note You need to log in before you can comment on or make changes to this bug.