Description of problem: When changing the passphrase for a LUKS drive, I am getting this error: # cryptsetup luksChangeKey /dev/vda3 Enter passphrase to be changed: Enter new passphrase: Verify passphrase: /usr/share/cracklib/pw_dict.pwd.gz: No such file or directory Password quality check failed: The password fails the dictionary check - error loading dictionary I looked and no package owns /usr/share/cracklib/pw_dict.pwd.gz, but the "cracklib-dicts" package owns /usr/share/cracklib/pw_dict.pwd, and if I install that package, cryptsetup luksChangeKey now works. Version-Release number of selected component (if applicable): cryptsetup-2.5.0-1.fc37.x86_64 cracklib-dicts-2.9.7-30.fc37.x86_64 How reproducible: Always Steps to Reproduce: 1. Set up LUKS volume 2. Attempt to change the key without having cracklib-dict installed 3. See error above Additional info: I swear this worked on January 3rd after a fresh Fedora 37 install, I'm not sure what dependencies changed to not automatically bring in cracklib-dicts, but it isn't installed anymore on my minimal install. It appears that cracklib is installed, just not cracklib-dicts.
This should be dependence of libpwquality which link to, perhaps bug 2006063 ? (You can always workaround it by adding --force-password to disable password quality check.) Anyway, reassigning to libpwquality, as I have not idea what changed there.
While it is nice that FCOS doesn't need password quality checking in passwd and cryptsetup, it would be nice if it was pulled in for Desktop OSs where people might actually expect password quality checks?
This also affects existing installs. A user doing a `dnf autoremove` after updating to libpwquality-1.4.5-1 will remove cracklib-dicts. cracklib-dicts was changed from a Requires to Suggests in libpwquality-1.4.5-1 [1]. I think it should've been a Recommends, according to Fedora policy on weak dependencies [2]. > The requirements of the main use cases of a package should not merely be referenced by hints but included by strong or weak dependencies. [1]: https://src.fedoraproject.org/rpms/libpwquality/c/303154338d6d3650bc343c4852009be8a1fdc199 [2]: https://docs.fedoraproject.org/en-US/packaging-guidelines/WeakDependencies/#_hints
Yeah, using Suggests and not Recommends is wrong. It should be possible to install libpwquality without dicts but by default the dicts should be installed.
This is likely a fallout from https://bugzilla.redhat.com/show_bug.cgi?id=2006063. Note that for Fedora CoreOS we don't pull in recommends by default so moving this from a suggest to a recommend should fix this issue.
Recommends are enabled in Silverblue & Kinoite so it will fix it there too: https://github.com/fedora-silverblue/issue-tracker/issues/400
This can also breaks logging in as a user with no password in GDM (whereupon GDM asks the user to create a new password; if cracklib-dicts is missing, this fails as the dictionary can't be loaded). This won't affect systems installed from the Workstation live because anaconda-core requires cracklib-dicts and live images have anaconda-core on them, but it *does* affect systems installed from a non-live installer that include the workstation-product-environment group. This means it breaks an openQA test when run on an upgraded system, because the base image from which the upgrade test starts is built with virt-install and a kickstart. Since Paul hasn't responded to this and it's been around for three weeks, I'm going to go ahead and use provenpackager powers to change the Suggests to a Recommends.
FEDORA-2023-4021d4c044 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4021d4c044
FEDORA-2023-4021d4c044 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4021d4c044` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4021d4c044 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-4021d4c044 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
it looks like, due to an interaction with a dnf bug that sometimes doesn't install all weak dependencies, this is still breaking some things, specifically our CI that uses Fedora 37 containers and runs clevis, see: https://github.com/stratis-storage/project/issues/581 .