Description of problem: If difok=2 and a password change is attempted with only changes to the first and last char pam_cracklib will say the passwords are "too similar" wherea s the change should be accepted. How reproducible: RHEL4 (any update, including 5) pam-0.77-66.17 (any pam 0.77 rpm for RHEL4) Include: passwd requisite /lib/security/$ISA/pam_cracklib.so debug retry=3 difok=3 in /etc/pam.d/system-auth Steps to Reproduce: use passwd to change a users password. Actual results: PASSWD CHANGE RESULTS ====== ============== q1w2e3r4 intial pssword 11q2e3r5 "too similar" 11a2e2r4 success Expected results: PASSWD CHANGE RESULTS ====== ============== q1w2e3r4 intial pssword 11q2e3r5 success 11a2e2r4 success Additional info: The fix for this went into PAM 0.78 from PAM bugzilla 1010142 * http://sourceforge.net/tracker/index.php?func=detai le&aid=1010142&group_id=6663&atid=106663 RHEL5 behaves properly as it contains this fix already in PAM 0.99.
Created attachment 181141 [details] pam_cracklib-last_char.patch
Created attachment 184561 [details] patch fixing typo - if ((j == 0) || (strlen(new) < i)) { + if ((j == 0) || (strlen(new) < j)) {
Providing testing && QA information related to this one: Was able to reproduce this issue && will be able to retest the whole RHSA-2007:0737 advisory in case of need (to include this one) -> Moving to assigned.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0737.html