Univention Bugzilla – Bug 56002
Replace obsolete libpam-cracklib with libpam-pwquality
Last modified: 2024-03-08 10:40:26 CET
We currently use pam_cracklib.so to force password quality when changing user passwords. cracklib for example checks passwords for minlength, complexity, palindrom, dictionary entries, username/gecos/other information in the password, …. libpam-cracklib has been removed in the upstream project: https://metadata.ftp-master.debian.org/changelogs//main/p/pam/pam_1.5.2-6_changelog → we should replace it with libpam-passwdqc which provides similar but not all features.
libpam-passwdqc has different password settings. We would have to adjust multiple test cases because of this. Julia found that libpam-pwquality has the same settings than pam-cracklib. Therefore we will use that.
See its configuration options in https://linux.die.net/man/8/pam_pwquality - it internally uses cracklib.
libpam-cracklib has already been removed in UCS 5.1. libpam-pwquality is already available in UCS 5.0. We could backport this bug. Description: PAM module to check password strength libpwquality's purpose is to provide common functions for password quality checking and also scoring them based on their apparent randomness. The library also provides a function for generating random passwords with good pronounceability. . This module can be plugged into the password stack of a given service to provide some plug-in strength-checking for passwords. The code was originaly based on pam_cracklib module and the module is backwards compatible with its options.
OK: PAM module cracklib has been replaced by pam_pwquality OK: pam_pwquality is completely backwards compatible to cracklib, so no necessary reconfiguration OK: No behavioural differences found OK: changelog OK: built OK: Jenkins Verified
univention-pam (14.0.5) cef24d3bd68e | fix(pam): replace upstream removed libpam-cracklib with libpam-pwquality univention-management-console (13.0.5) cef24d3bd68e | fix(pam): replace upstream removed libpam-cracklib with libpam-pwquality univention-errata-level (5.1.0-0) cef24d3bd68e | fix(pam): replace upstream removed libpam-cracklib with libpam-pwquality