Bug 56002 – Replace obsolete libpam-cracklib with libpam-pwquality

Bug 56002 - Replace obsolete libpam-cracklib with libpam-pwquality


Summary:	Replace obsolete libpam-cracklib with libpam-pwquality

Status:	VERIFIED FIXED

Product:	UCS
Classification:	Unclassified
Component:	PAM
Version:	UCS 5.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.1
Assigned To:	Florian Best
QA Contact:	Julia Bremer

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-04-20 17:19 CEST by Florian Best
Modified:	2024-03-08 10:40 CET (History)
CC List:	0 users

See Also:	52057
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2023-04-20 17:19:29 CEST

We currently use pam_cracklib.so to force password quality when changing user passwords.

cracklib for example checks passwords for minlength, complexity, palindrom, dictionary entries, username/gecos/other information in the password, ….

libpam-cracklib has been removed in the upstream project: https://metadata.ftp-master.debian.org/changelogs//main/p/pam/pam_1.5.2-6_changelog

→ we should replace it with libpam-passwdqc which provides similar but not all features.

Comment 2 Florian Best

2023-09-21 14:57:57 CEST

libpam-passwdqc has different password settings. We would have to adjust multiple test cases because of this.
Julia found that libpam-pwquality has the same settings than pam-cracklib. Therefore we will use that.

Comment 3 Florian Best

2023-09-21 14:59:36 CEST

See its configuration options in https://linux.die.net/man/8/pam_pwquality - it internally uses cracklib.

Comment 4 Florian Best

2023-10-05 14:08:56 CEST

libpam-cracklib has already been removed in UCS 5.1.
libpam-pwquality is already available in UCS 5.0. We could backport this bug.

Description: PAM module to check password strength
 libpwquality's purpose is to provide common functions for password
 quality checking and also scoring them based on their apparent randomness. The
 library also provides a function for generating random passwords with good
 pronounceability.
 .
 This module can be plugged into the password stack of a given service to
 provide some plug-in strength-checking for passwords. The code was originaly
 based on pam_cracklib module and the module is backwards compatible with its
 options.

Comment 5 Julia Bremer

2023-10-11 13:43:10 CEST

OK: PAM module cracklib has been replaced by pam_pwquality
OK: pam_pwquality is completely backwards compatible to cracklib, so no necessary reconfiguration
OK: No behavioural differences found
OK: changelog
OK: built
OK: Jenkins

Verified

Comment 6 Florian Best

2024-03-08 10:40:26 CET

univention-pam (14.0.5)
cef24d3bd68e | fix(pam): replace upstream removed libpam-cracklib with libpam-pwquality

univention-management-console (13.0.5)
cef24d3bd68e | fix(pam): replace upstream removed libpam-cracklib with libpam-pwquality

univention-errata-level (5.1.0-0)
cef24d3bd68e | fix(pam): replace upstream removed libpam-cracklib with libpam-pwquality