852391 – No way to disable some password checks when using pam_cracklib module

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 852391 - No way to disable some password checks when using pam_cracklib module

Summary: No way to disable some password checks when using pam_cracklib module

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	6.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-08-28 11:21 UTC by Athar
Modified:	2014-11-11 08:13 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-11-11 08:13:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Athar 2012-08-28 11:21:51 UTC

Description of problem:

There is no way to disable following password checks for non-root user :

$ passwd
Changing password for user test.
Changing password for test.
(current) UNIX password: 
New password: 
BAD PASSWORD: is rotated
New password: 
BAD PASSWORD: it is too simplistic/systematic
New password: 
BAD PASSWORD: is a palindrome


Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1. Create a test user on Linux.
2. Login as test and try to change its password.
3. Tried following passwords which result in an error :

New password: 
BAD PASSWORD: is rotated                           << Old password : Newpassw0rd , New password : dNewpassw0r
New password: 
BAD PASSWORD: it is too simplistic/systematic      << abcd123
New password: 
BAD PASSWORD: is a palindrome                      << deesawaseed

Contents of system-auth file are :

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=6 dcredit=0 lcredit=0 ocredit=0 ucredit=0 maxrepeat=0 difok=0
password    required      pam_pwhistory.so enforce_for_root remember=3 use_authtok
password    sufficient    pam_unix.so md5 shadow try_first_pass use_authtok
password    required      pam_deny.so
  
Actual results:

There is no way available to disable the above password checks.

Additional info:

Comment 2 Tomas Mraz 2012-08-28 12:13:31 UTC

Please use the regular support channels to request this enhancement. Otherwise the request cannot be properly prioritized.

See http://www.redhat.com/support/ for details.

Comment 3 Tom Lavigne 2012-09-07 15:26:31 UTC

This request was evaluated by Red Hat Product Management for 
inclusion in the current release of Red Hat Enterprise Linux.
Since we are unable to provide this feature at this time,  
it has been proposed for the next release of 
Red Hat Enterprise Linux.

Comment 4 RHEL Program Management 2013-10-14 04:49:32 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 5 Athar 2014-11-11 05:18:16 UTC

This is not desired any more.

Note You need to log in before you can comment on or make changes to this bug.