Bug 1410450 - pwscore fails on missing /usr/share/cracklib/pw_dict.pwd.gz
Summary: pwscore fails on missing /usr/share/cracklib/pw_dict.pwd.gz
Alias: None
Product: Fedora
Classification: Fedora
Component: libpwquality
Version: 25
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-05 14:12 UTC by Martin Pitt
Modified: 2017-01-05 15:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-01-05 14:28:05 UTC
Type: Bug

Attachments (Terms of Use)

Description Martin Pitt 2017-01-05 14:12:00 UTC
Description of problem:

In Fedora 25, libpwquality does not depend any more on cracklib-dicts. That package is not installed in a minimal environment such as mock or mkosi, and "rpm -e cracklib-dicts" even works in a reasonably fat install.

Version-Release number of selected component (if applicable):


How reproducible:

On Fedora 25:

$ mock --init
$ mock --shell 'echo foobar123 | pwscore'
/usr/share/cracklib/pw_dict.pwd.gz: No such file or directory
Password quality check failed:
 The password fails the dictionary check - error loading dictionary

Actual results:

pwscore fails on Fedora 25 without cracklib-dicts. This e. g. breaks cockpit when trying to create a new user, without /usr/share/cracklib/pw_dict.pwd.gz the user creation never succeeds (see https://github.com/cockpit-project/cockpit/issues/5684).

This is not an issue in RHEL/centos 7: there cracklib-dicts is a dependency of libpwquality.

Expected results:

If the removal of the cracklib-dicts dependency of libpwquality was deliberate, then pwscore should gracefully fall back, i. e. just skip the dictionary check. Otherwise the dependency should be put back.

Comment 1 Tomas Mraz 2017-01-05 14:28:05 UTC
No, the dependency is a weak one via Recommends so dnf will normally install it but you should be able to uninstall it if you do not need the dictionary check. And you can configure libpwquality to skip the dictionary check via setting dictcheck = 0 in /etc/security/pwquality.conf but we do not want that to be default.

Comment 2 Martin Pitt 2017-01-05 14:56:54 UTC
A weak dependency is fine, but then it shouldn't fail hard if it isn't installed, but gracefully fall back. Or something should pull it into mock/mkosi and similarly small environments as well..

Comment 3 Tomas Mraz 2017-01-05 15:06:04 UTC
Gracefully falling back would mean that incorrectly or inadvertently missing dictionary would get undetected. I do not want that.

Note You need to log in before you can comment on or make changes to this bug.