Bug 82723 - system-config-users does not check password quality (i.e. cracklib)
Summary: system-config-users does not check password quality (i.e. cracklib)
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-users (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Nils Philippsen
QA Contact:
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-01-25 12:10 UTC by Karsten Wade
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-31 11:13:47 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Karsten Wade 2003-01-25 12:10:23 UTC 
Description of problem:

The GUI user/group manager tool does not check password quality, as
/usr/bin/passwd does.

For example, if you put in the password '12345', r-c-users will kick it back as
too short; however '123456' will go through just fine.

Since this has been around for a while (at least since 7.2 that I can test
here), I hesitate to call it a security issue, although it is one.

So, to increase the security of this product (which is probably usually used by
the less skilled systems administrators, who need all the help/support we can
give them to do things the Right Way) - can you make r-c-users check passwords
against the usual bevy of suspects, e.g. cracklib.

Version-Release number of selected component (if applicable):
redhat-config-users-1.1.1-2


How reproducible:
Always (tested in AS 2.1 and RHL 8.0, both with latest errata updates)

Steps to Reproduce:
1. Open redhat-config-users
2. Click New User, fill out fields
3. Attempt to use an insecure password of the proper length (6 characters), e.g.
123456, abcdef, dictionary, redhat, <username>, etc.

Actual results:
Program says nothing about the quality of the password, and accepts the insecure
password

Expected results:
Desired result is to have r-c-users come back when a password is "bad", explain
why (dictionary word, same as username, etc.), suggest that a better password be
used.  Basically follow the formula setup by /usr/bin/passwd -- root can set
insecure passwords, but it root is reminded/warned about the risk.

Additional info:
Comment 1 Nils Philippsen 2004-08-25 08:30:29 UTC 
I'm the maintainer now. While this is a good idea, I can't promise a
high prio, partly because there is no python interface for cracklib
yet (none that I found that is).
Comment 2 Nils Philippsen 2004-11-30 14:33:56 UTC 
Changing product and component.
Comment 3 Nils Philippsen 2004-11-30 14:35:31 UTC 
Changing component to cracklib (RFE: python interface for cracklib).
Comment 4 Nalin Dahyabhai 2005-09-13 19:44:13 UTC 
Upstreamed, will probably be in cracklib 2.8.4.
Comment 5 Nalin Dahyabhai 2006-10-29 23:09:08 UTC 
We've got a cracklib-python as of 2.8.9-5.  Bouncing back to system-config-users.
Comment 6 Nils Philippsen 2007-01-25 10:35:29 UTC 
I consider including this in Fedora 7 if time permits.
Comment 7 Nils Philippsen 2007-01-25 12:54:23 UTC 
checked in changes for this into elvis CVS
Comment 8 Nils Philippsen 2007-01-31 11:13:47 UTC 
fixed in version 1.2.52
Note You need to log in before you can comment on or make changes to this bug.