Bug 14740 - pam_cracklib: 'similiar()' broken
pam_cracklib: 'similiar()' broken
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Depends On:
  Show dependency treegraph
Reported: 2000-07-27 14:02 EDT by John Dalbec
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-10-26 17:39:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Dalbec 2000-07-27 14:02:38 EDT
The problem:
The variable 'j' in this routine is the number of matching (not different) characters between the old and new passwords.
As such, the direction of the inequality 'j >= opt->diff_ok' is wrong.  You want something like 'i-j >= opt->diff_ok'.

To reproduce the problem:
Anyone using MD5 passwords should be able to reproduce the problem by changing (say) 'the quick brown' to 'the quick brow'.
For crypt passwords, try setting difok=5.  Create a test user and set its password to 'st3y7r8'.  Now change the password to 'st3y7r9'.
Since 6 characters were unchanged and 6 >=5, this is accepted.  Now try changing the password to 'st3y1b2'.  
Since only 4 characters are the same (4<5) and fewer than half the characters are different, this will be rejected.

Frankly, the calculation of 'j' seems rather odd.  
It's the number of not-necessarily-distinct characters in the old password that appear in the new password.
And if the new password is shorter, the old password is effectively truncated to the length of the new password before this calculation is done.
I would be interested in understanding why this was done in light of the comments above the function.
Comment 1 Nalin Dahyabhai 2000-11-29 11:49:17 EST
This fix will appear in the upcoming errata.

Note You need to log in before you can comment on or make changes to this bug.