This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 849965 - pam_cracklib.so gives wrong error when the minlen > 6
pam_cracklib.so gives wrong error when the minlen > 6
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam (Show other bugs)
6.1
Unspecified Linux
medium Severity high
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-21 07:12 EDT by Abhay Dandekar
Modified: 2015-08-04 09:15 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-04 09:15:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Abhay Dandekar 2012-08-21 07:12:48 EDT
Description of problem:

We modified the /etc/pam.d/system-auth file to set the minlen = 8. Following is the entry in system-auth :

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=0 lcredit=0 ocredit=0 ucredit=0 maxrepeat=0 difok=0

The system is supposed to give "password too SHORT" message when we enter a complex password having length greater then 6 and less than 8.


How reproducible:
Always

Steps to Reproduce:
1. Create a temp user on the linux machine. Expire it
2. Set the entry in /etc/pam.d/system-auth file as mentioned below :
password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=0 lcredit=0 ocredit=0 ucredit=0 maxrepeat=0 difok=0
3. Try to login via ssh session. 
4. When the console asks for a new password, enter a password having length more than 6 but less than 8 for e.g : q1w2e3r
  
Actual results:
Following is the output from console :

# abhay is an expired user on the linux machine.

[root@newInstaller15 ~]# ssh abhay@mgmt001st002 
abhay@mgmt001st002's password: 
You are required to change your password immediately (root enforced)
Last login: Tue Aug 21 11:25:43 2012 from 10.0.100.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user abhay.
Changing password for abhay.
(current) UNIX password: 
New password: 				<< ENTERED 5 LETTER PASSWORD		
BAD PASSWORD: it is too short
New password: 				<< ENTERED 7 LETTER PASSWORD
BAD PASSWORD: is too simple
New password: 				<< ENTERED 7 LETTER PASSWORD AGAIN
BAD PASSWORD: is too simple
Password: 
passwd: Have exhausted maximum number of retries for service
Connection to mgmt001st002 closed.
[root@newInstaller15 ~]#

Version-Release number of selected component (if applicable):
[root@st002.mgmt001st002 ~]# ls -ltr /lib64/libpam.so.0 
lrwxrwxrwx. 1 root root 16 Jul 27 11:12 /lib64/libpam.so.0 -> libpam.so.0.82.2
[root@st002.mgmt001st002 ~]# 


Expected results:

The system should prompt for password is short when we enter a password having length less than the minlen value mentioned in /etc/pam.d/system-auth

Additional info:
Comment 2 nilesh 2012-08-22 01:35:13 EDT
I think the pam_cracklib needs a fix in the password_check() function.
If all the credits (opt->dig_credit, opt->up_credit, opt->low_credit and opt->oth_credit) are set to '0' and the length of the new password is less than the "opt->min_length" then it should throw an error message like "it is too short" instead of "is too simple". 
I think, the "too simple" message is applicable when any of the credits is set to a non-zero value.
Comment 5 RHEL Product and Program Management 2012-12-14 02:53:53 EST
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 7 RHEL Product and Program Management 2013-10-14 00:50:38 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 8 nilesh 2013-10-15 02:04:59 EDT
Yes, this is required to be fixed to keep consistent and easy to understand error report to the end user. This helps the end user understand the error properly and take appropriate corrective action to resolve the error.
Comment 9 Tomas Mraz 2015-08-04 09:15:42 EDT
This problem is solved by pam_pwquality in RHEL-7. It is rather enhancement request than bug fix and I am rejecting it because complications that the fix would bring (i.e. the need of updated translations etc.) are worse than the improvements.

Note You need to log in before you can comment on or make changes to this bug.