Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 82723 - system-config-users does not check password quality (i.e. cracklib)
Summary: system-config-users does not check password quality (i.e. cracklib)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-users
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Nils Philippsen
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-01-25 12:10 UTC by Karsten Wade
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-01-31 11:13:47 UTC


Attachments (Terms of Use)

Description Karsten Wade 2003-01-25 12:10:23 UTC
Description of problem:

The GUI user/group manager tool does not check password quality, as
/usr/bin/passwd does.

For example, if you put in the password '12345', r-c-users will kick it back as
too short; however '123456' will go through just fine.

Since this has been around for a while (at least since 7.2 that I can test
here), I hesitate to call it a security issue, although it is one.

So, to increase the security of this product (which is probably usually used by
the less skilled systems administrators, who need all the help/support we can
give them to do things the Right Way) - can you make r-c-users check passwords
against the usual bevy of suspects, e.g. cracklib.

Version-Release number of selected component (if applicable):
redhat-config-users-1.1.1-2


How reproducible:
Always (tested in AS 2.1 and RHL 8.0, both with latest errata updates)

Steps to Reproduce:
1. Open redhat-config-users
2. Click New User, fill out fields
3. Attempt to use an insecure password of the proper length (6 characters), e.g.
123456, abcdef, dictionary, redhat, <username>, etc.

Actual results:
Program says nothing about the quality of the password, and accepts the insecure
password

Expected results:
Desired result is to have r-c-users come back when a password is "bad", explain
why (dictionary word, same as username, etc.), suggest that a better password be
used.  Basically follow the formula setup by /usr/bin/passwd -- root can set
insecure passwords, but it root is reminded/warned about the risk.

Additional info:

Comment 1 Nils Philippsen 2004-08-25 08:30:29 UTC
I'm the maintainer now. While this is a good idea, I can't promise a
high prio, partly because there is no python interface for cracklib
yet (none that I found that is).

Comment 2 Nils Philippsen 2004-11-30 14:33:56 UTC
Changing product and component.

Comment 3 Nils Philippsen 2004-11-30 14:35:31 UTC
Changing component to cracklib (RFE: python interface for cracklib).

Comment 4 Nalin Dahyabhai 2005-09-13 19:44:13 UTC
Upstreamed, will probably be in cracklib 2.8.4.

Comment 5 Nalin Dahyabhai 2006-10-29 23:09:08 UTC
We've got a cracklib-python as of 2.8.9-5.  Bouncing back to system-config-users.

Comment 6 Nils Philippsen 2007-01-25 10:35:29 UTC
I consider including this in Fedora 7 if time permits.

Comment 7 Nils Philippsen 2007-01-25 12:54:23 UTC
checked in changes for this into elvis CVS

Comment 8 Nils Philippsen 2007-01-31 11:13:47 UTC
fixed in version 1.2.52


Note You need to log in before you can comment on or make changes to this bug.