Please try to make cracklib-dicts optional We are trying to minimize the base container image size and cracklib-dicts is huge (9.5MB). Is it required by other parts of pam, or only because of libpwquality ? https://harald.fedorapeople.org/rawhide-20160401-systemd-container/Tree-cracklib-dicts.svg An option would be to make it a "Recommends" or if it's only because of libpwquality, then remove it completly.
bug 1323175 for libpwquality
It is needed for pam_cracklib as well. Although the module is replaced with pam_pwquality in the default configuration, it is still present and can be manually configured. We have the bug 865521 for the smaller dictionary alternative unfortunately I did not get to work on that yet. For it to work seamlessly we would need also a fallback in cracklib from the regular dictionary to the small one. I do not think we want to have them in the same files and the packages to conflict.
Well, generally for tiny containers passwords would not be needed anyway... maybe some pam-passwd splitout?
(In reply to Harald Hoyer from comment #3) > Well, generally for tiny containers passwords would not be needed anyway... > maybe some pam-passwd splitout? Right, breaking out the pam_cracklib and pam_pwquality modules into a subpackage (to be installed in everything but containers) makes the most sense.
Created attachment 1145247 [details] Separate package for password quality plugins (#1323172)
I am more in favor of making the cracklib dictionary weak dependency than splitting out the modules.
This is insufficient because both pam_cracklib and pam_pwquality have a link dependency on cracklib, which itself still has a hard dependency on cracklib-dicts (and rightfully so IMO).
Nope, there is no Requires: cracklib-dicts on cracklib at all and there was not such requires for a long time.
$ rpm -q --requires pam|fgrep crack cracklib-dicts >= 2.8 libcrack.so.2()(64bit)
(In reply to Harald Hoyer from comment #9) > $ rpm -q --requires pam|fgrep crack > cracklib-dicts >= 2.8 > libcrack.so.2()(64bit) oops, this was pam-1.2.1-7.fc25 .. not -8