RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 963769 - cracklib-check allows dictionary based passwords with simple modifications
Summary: cracklib-check allows dictionary based passwords with simple modifications
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: cracklib
Version: 6.4
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 966524
TreeView+ depends on / blocked
 
Reported: 2013-05-16 14:06 UTC by Hubert Kario
Modified: 2017-09-22 13:15 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
: 966524 (view as bug list)
Environment:
Last Closed: 2017-09-22 13:15:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
partial fix: add roll-left and roll-right constructors (1.56 KB, patch)
2013-05-17 19:02 UTC, Nalin Dahyabhai 		no flags Details | Diff
partial fix: add more l33t-ish substitutions (666 bytes, patch)
2013-05-17 19:04 UTC, Nalin Dahyabhai 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1005276 0 unspecified CLOSED Words with simple "l33t" substitutions are accepted as secure 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1005313 0 unspecified CLOSED Dictionary words with common misspellings or txtspk are accepted as secure 2021-02-22 00:41:40 UTC

Internal Links: 1005276 1005313

Description Hubert Kario 2013-05-16 14:06:00 UTC 
Description of problem:
When using simple English word list (from package words), cracklib-check doesn't recognize passwords with simple modifications as based on dictionary words.

Version-Release number of selected component (if applicable):
cracklib-2.8.16-4.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. create-cracklib-dict /usr/share/dict/words
2. echo "d.ncing" | cracklib-check
3. echo "d@ncing" | cracklib-check
4. echo "glo8ulin" | cracklib-check
5. echo "dancingdancing" | cracklib-check
6. echo "ancingd" | cracklib-check # "dancing" barrel-shifted by one letter
7. echo "1dancing1" | cracklib-check
8. echo "aca7alectic" | cracklib-check

Actual results:
d.ncing: OK
d@ncing: OK
glo8ulin: OK
dancingdancing: OK
ancingd: OK
1dancing1: OK
aca7alectic: OK

Expected results:
d.ncing: it is based on a dictionary word
d@ncing: it is based on a dictionary word
glo8ulin: it is based on a dictionary word
dancingdancing: it is based on a dictionary word
ancingd: it is based on a dictionary word
1dancing1: it is based on a dictionary word
aca7alectic: it is based on a dictionary word

Additional info:
Considering that passwords such as "-*!dancing,-=" are rejected, not rejecting much simpler changes/substitutions is unexpected.

As most of those modifications are present in standard rules used by John The Ripper they should be rejected by cracklib.

While some of those cases are introducing completely new tests, the list of missing leetspeak substitutions is quite glaring.

Proposed list of substitutions:
@ -> a
4 -> a
8 -> b (B)
3 -> e (E)
6 -> g
9 -> g
! -> i or l
1 -> i or l
$ -> s
5 -> s
7 -> t (T)
+ -> t
| -> i or l
Comment 2 Nalin Dahyabhai 2013-05-17 19:02:40 UTC 
Created attachment 749442 [details]
partial fix: add roll-left and roll-right constructors
Comment 3 Nalin Dahyabhai 2013-05-17 19:04:04 UTC 
Created attachment 749443 [details]
partial fix: add more l33t-ish substitutions

These aren't integrated properly, but doing it in a way that wouldn't explode the destructors list would require redoing a few layers of logic.
Comment 4 Hubert Kario 2013-05-20 08:42:42 UTC 
Regarding patch in Comment #2: I don't know how the code later searches if the word is in wordlist or not, but I know that pam_cracklib does check if a password doesn't contain words as a substring of "passwordpassword". This finds not only repetitions but such simple barrel shifts like in the "ancingd" case.

Regarding patch in Comment #3: I'm not sure if I read the patch correctly, but the a -> . substitution was more to show that obfuscating a single character is enough to render cracklib useless, not an actual "l33t speak" substitution.
And second "I'm not sure if I read the patch correctly" is the 8 -> B substitution: doesn't cracklib do a case insensitive search over its wordlist?
Comment 5 Nalin Dahyabhai 2013-05-20 19:57:13 UTC 
(In reply to Hubert Kario from comment #4)
> Regarding patch in Comment #2: I don't know how the code later searches if
> the word is in wordlist or not, but I know that pam_cracklib does check if a
> password doesn't contain words as a substring of "passwordpassword". This
> finds not only repetitions but such simple barrel shifts like in the
> "ancingd" case.

The pam_cracklib module (and the cracklib python module, and apparently everything else that uses cracklib) implements additional logic beyond what cracklib does, so cracklib-check doesn't benefit from those efforts.

> Regarding patch in Comment #3: I'm not sure if I read the patch correctly,
> but the a -> . substitution was more to show that obfuscating a single
> character is enough to render cracklib useless, not an actual "l33t speak"
> substitution.
> And second "I'm not sure if I read the patch correctly" is the 8 -> B
> substitution: doesn't cracklib do a case insensitive search over its
> wordlist?

So it does.  That rule should be discarded from the patch, then.  As for the larger point, you're right, cracklib's doesn't catch everything.
Comment 6 Tomas Mraz 2013-06-11 11:57:17 UTC 
I don't think this is RHEL-6 material. This should be changed in Fedora and RHEL-7 if at all.
Comment 7 RHEL Program Management 2013-10-13 23:36:37 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 8 Tomas Mraz 2017-09-22 13:15:43 UTC 
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please re-open the BZ and request a re-evaluation of the issue, citing a clear business justification.
Note You need to log in before you can comment on or make changes to this bug.