Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1688373 - cracklib-check does not recognize various shifts, substitutions, additions, repetitions and dictionary words
Summary: cracklib-check does not recognize various shifts, substitutions, additions, r...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: cracklib
Version: 8.0
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: 8.1
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-13 16:06 UTC by Ondrej Moriš
Modified: 2019-03-17 19:23 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Feature Request
Target Upstream Version:


Attachments (Terms of Use)

Description Ondrej Moriš 2019-03-13 16:06:31 UTC
Description of problem:

I see various weaknesses in cracklib:

:: [ 11:45:36 ] :: [  BEGIN   ] :: Check word as is :: actually running 'echo 'liococcygian' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check word as is (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check one char right shift :: actually running 'echo 'iococcygianl' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check one char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check two char right shift :: actually running 'echo 'ococcygianli' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check two char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check three char right shift :: actually running 'echo 'coccygianlio' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check three char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check four char right shift :: actually running 'echo 'occygianlioc' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check four char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check five char right shift :: actually running 'echo 'ccygianlioco' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check five char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check six char right shift :: actually running 'echo 'cygianliococ' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check six char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check seven char right shift :: actually running 'echo 'ygianliococc' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check seven char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check eight char right shift :: actually running 'echo 'gianliococcy' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check eight char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check nine char right shift :: actually running 'echo 'ianliococcyg' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check nine char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check ten char right shift :: actually running 'echo 'anliococcygi' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check ten char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check eleven char right shift :: actually running 'echo 'nliococcygia' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check eleven char right shift (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check a -> @ leet-speak substitution :: actually running 'echo 'd@ncing' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check a -> @ leet-speak substitution (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check b -> 8 leet-speak substitution :: actually running 'echo 'glo8ulin' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check b -> 8 leet-speak substitution (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check g -> 6 leet-speak substitution :: actually running 'echo 'ali6nment' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check g -> 6 leet-speak substitution (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check g -> 9 leet-speak substitution :: actually running 'echo 'ali9nment' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check g -> 9 leet-speak substitution (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check i -> ! leet-speak substitution :: actually running 'echo 'all!gator' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check i -> ! leet-speak substitution (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check i -> | leet-speak substitution :: actually running 'echo 'all|gator' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check i -> | leet-speak substitution (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check l -> ! leet-speak substitution :: actually running 'echo 'ama!gamate' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check l -> ! leet-speak substitution (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check l -> | leet-speak substitution :: actually running 'echo 'ama|gamate' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check l -> | leet-speak substitution (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check t -> 7 leet-speak substitution :: actually running 'echo 'bac7eria' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check t -> 7 leet-speak substitution (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Check t -> + leet-speak substitution :: actually running 'echo 'bac+eria' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Check t -> + leet-speak substitution (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test triple char postfix addition :: actually running 'echo 'password,.=' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test triple char postfix addition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test triple char prefix addition :: actually running 'echo '=-[password' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test triple char prefix addition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test triple char pre- and postfix addition :: actually running 'echo '=-[password;*^' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test triple char pre- and postfix addition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test triple digit postfix addition :: actually running 'echo 'password710' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test triple digit postfix addition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test triple digit prefix addition :: actually running 'echo '017password' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test triple digit prefix addition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test single digit prefix and postfix addition :: actually running 'echo '7password1' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test single digit prefix and postfix addition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test double digit prefix and postfix addition :: actually running 'echo '07password12' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test double digit prefix and postfix addition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test triple digit prefix and postfix addition :: actually running 'echo '307password125' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test triple digit prefix and postfix addition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test quadruple digit postfix repetition :: actually running 'echo 'password1111' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test quadruple digit postfix repetition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test quintuple digit postfix repetition :: actually running 'echo 'password11111' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test quintuple digit postfix repetition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test sextuple digit postfix repetition :: actually running 'echo 'password111111' | cracklib-check | grep -v OK'
:: [ 11:45:36 ] :: [   FAIL   ] :: Test sextuple digit postfix repetition (Expected 0, got 1)
:: [ 11:45:36 ] :: [  BEGIN   ] :: Test all words as is in dict/words :: actually running 'cat /usr/share/dict/words |  cracklib-check | grep ': OK''
pneumonoultramicroscopicsilicovolcanoconiosis: OK
:: [ 11:46:12 ] :: [   FAIL   ] :: Test all words as is in dict/words (Expected 1, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   John the Ripper password generator based tests
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 11:46:12 ] :: [  BEGIN   ] :: Test the passwords generated using "wordlist" set :: actually running 'cat wordlist.jhn | cracklib-check | grep OK'
dancingged: OK
globulining: OK
acatalecticing: OK
Dancingged: OK
Globulining: OK
Acatalecticing: OK
:: [ 11:46:12 ] :: [   FAIL   ] :: Test the passwords generated using "wordlist" set (Expected 1, got 0)

Version-Release number of selected component (if applicable):

cracklib-2.9.6-15.el8.x86_64

How reproducible:

100%

Steps to Reproduce:

See above.

Actual results:

Various patterns are not recognized.

Expected results:

As much patterns as possible should be recognized.

Additional info:

The situation is very similar to RHEL-7.6. It would be good to go through the list of issues case by case and filter it out based on severity of a case.

Comment 1 Tomas Mraz 2019-03-14 11:19:44 UTC
Ondrej, this is basically an RFE.


Note You need to log in before you can comment on or make changes to this bug.