Description of problem: The GUI user/group manager tool does not check password quality, as /usr/bin/passwd does. For example, if you put in the password '12345', r-c-users will kick it back as too short; however '123456' will go through just fine. Since this has been around for a while (at least since 7.2 that I can test here), I hesitate to call it a security issue, although it is one. So, to increase the security of this product (which is probably usually used by the less skilled systems administrators, who need all the help/support we can give them to do things the Right Way) - can you make r-c-users check passwords against the usual bevy of suspects, e.g. cracklib. Version-Release number of selected component (if applicable): redhat-config-users-1.1.1-2 How reproducible: Always (tested in AS 2.1 and RHL 8.0, both with latest errata updates) Steps to Reproduce: 1. Open redhat-config-users 2. Click New User, fill out fields 3. Attempt to use an insecure password of the proper length (6 characters), e.g. 123456, abcdef, dictionary, redhat, <username>, etc. Actual results: Program says nothing about the quality of the password, and accepts the insecure password Expected results: Desired result is to have r-c-users come back when a password is "bad", explain why (dictionary word, same as username, etc.), suggest that a better password be used. Basically follow the formula setup by /usr/bin/passwd -- root can set insecure passwords, but it root is reminded/warned about the risk. Additional info:
I'm the maintainer now. While this is a good idea, I can't promise a high prio, partly because there is no python interface for cracklib yet (none that I found that is).
Changing product and component.
Changing component to cracklib (RFE: python interface for cracklib).
Upstreamed, will probably be in cracklib 2.8.4.
We've got a cracklib-python as of 2.8.9-5. Bouncing back to system-config-users.
I consider including this in Fedora 7 if time permits.
checked in changes for this into elvis CVS
fixed in version 1.2.52