Description of problem: When a LUKS password shorter than 8 characters is entered into the LUKS password dialog in FIPS mode, various unrelated error messages are displayed (related to password quality, e. g. the password being a dictionary one, or too simple). This is, however, a bit misleading, because the password can't be accepted when it's shorter than 8 characters, no matter if it passes any other checks or not. It would be much more informative if there is a message similar to the one that appears in text mode with kickstart ('Passphrase given in the autopart command is too short in FIPS mode. Please use at least 8 characters.'), which would take precedence before any other error/warning messages. Version-Release number of selected component (if applicable): anaconda-34.25.3.2-1.el9 How reproducible: 100% Steps to Reproduce: 1. Start graphical installation in FIPS mode (fips=1 on kernel command line) 2. Enter partitioning spoke, enable disk encryption and click on Done. 3. Enter a password shorter than 8 characters in the input fields in LUKS password dialog. Actual results: There's an error message related to password quality (password is a palindrome, it is too simple or too systematic). Expected results: There's a message informing the user that the password has to be at least 8 characters long in FIPS mode. When the user enters a password with a required length, other password checks and their resulting messages apply. In non-FIPS mode, the messages logic remains unchanged.
Hi Vlado, do you know if we can change this reasonably? I have a bad feeling that the messages are coming from the pwquality library.
Jirko, I have a faint feeling (IIRC) that the messages come from pwquality library - so the only solution would be to handle the FIPS case separately in the code, prior to displaying the pwquality output. Not sure if it's feasible or you'd even want to use some approach like that (definitely it's not very nice and systematic), but still I felt the urge to file the bug as I found the error messages somewhat confusing or at least a bit opaque from the UX perspective.
tl;dr If you show that password shorter than 8 letters with fips=1 shows no length related error in GUI, then the bug is valid, otherwise it's a cosmetic thing. Why: The default minimal password length from pwpolicy appears to be 6 letters. This is the message you see for passwords with length 1-5. Additionally, such short passwords suffer from a number of other problems and so give other error messages, too. The FIPS mode, if applicable, adds another error message for passwords shorter than 8 letters. This message appears after the pwpolicy messages, so for passwords of 6 and 7 letters only. Since only the first detected error is shown, the pwpolicy ones dominate the output when trying various passwords lengths. It is possible to craft passwords that satisfy all the pwpolicy rules but fail the FIPS requirement. Try "h86huq" for example. So, I don't think this is a bug, just testing too... singlemindedly? Whatever the messages, the end effect is that the installer won't allow you to use a passphrase of less than 8 letters with fips. It just displays other messages besides the FIPS one. FWIW, it might be possible to make the FIPS message "higher priority" than pwpolicy and so make it dominate the error output. However, that would likely require a more detailed rewrite. Unless this is a really big problem, I suggest leaving it as it is.
After a discussion with Jiri Konecny, there is currently no capacity to fix this issue. I'm closing the bug.