Univention Bugzilla – Bug 52057
UMC PAM stack always uses pam_cracklib, even if password/quality/mspolicy = 'sufficient'
Last modified: 2023-04-20 17:19:35 CEST
The UMC PAM stack contains pam_cracklib using the plain defaults (without any consideration of the password/quality/* UCR configuration). Bug #51994 introduces the possibility to select MS standard password complexity criteria for password changes. If the UCR variable password/quality/mspolicy is set to 'sufficient', the cracklib tests should be skipped. If it's not skipped, then then passwords like "Aa12y2, which may conform to the MS complexity criteria will be rejected by pam_cracklib. My attempt to classify the pam_cracklib call as 'optional' didn't help and removing the pam_cracklib call in the template (if password/quality/mspolicy == sufficient) results in "Errorcode 20", because the following call to pam_unix is done with "use_first_pass", which seems to create a memory management issue. Since this is a corner case the use/risk seemed to high to do a larger change to the UMC PAM stack, but strictly speaking this is not correct for corner cases.
Created attachment 10497 [details] Suggested patch
The use of `use_authtok` on "pam_unix.so" looks wrong. Also see Bug #30036 for more PAM issues.