Bug 46131 – Passwords based on a dictionary word are not detected anymore in UCS 4.3

Bug 46131 - Passwords based on a dictionary word are not detected anymore in UCS 4.3


Summary:	Passwords based on a dictionary word are not detected anymore in UCS 4.3

Status:	CLOSED WORKSFORME

Product:	UCS
Classification:	Unclassified
Component:	UMC - Change password
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3
Assigned To:	Arvid Requate
QA Contact:	Stefan Gohmann

URL:
Keywords:	interim-2

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-01-24 12:56 CET by Florian Best
Modified:	2019-02-26 10:10 CET (History)
CC List:	2 users (show)

See Also:	46126 46171 48684
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2018-01-24 12:56:28 CET

UCS 4.2 prevented to create a password "chocolate" because it is based on a dictionary word, if the password complexity check was enabled. This check does not work in UCS 4.3 anymore.

The test case 60_umc/105_change_expired_password_fail_reason fails in Samba 4 and Samba 3 environments.

Reproduce:
cn=default-settings,cn=pwhistory,cn=users,cn=policies,%s
→ 'univentionPWQualityCheck'=True

ucr set ['password/quality/credit/lower=1', 'password/quality/credit/upper=1', 'password/quality/credit/other=1', 'password/quality/credit/digits=1'

Comment 1 Florian Best

2018-01-24 17:28:47 CET

Probably pam_cracklib is the cause.

Comment 2 Jannik Ahlers

2018-01-30 16:15:13 CET

Even though the most recent jenkins test failed, I was not able to reproduce the problem manually.

Comment 3 Arvid Requate

2018-02-12 20:02:24 CET

I agree with Jannik:

root@master10:~# ucr set \
  password/quality/credit/lower=1 \
  password/quality/credit/upper=1 \
  password/quality/credit/other=1 \
  password/quality/credit/digits=1
Create password/quality/credit/lower
Create password/quality/credit/upper
Create password/quality/credit/other
Create password/quality/credit/digits

root@master10:~# eval "$(ucr shell)"
root@master10:~# udm policies/pwhistory modify \
  --dn "cn=default-settings,cn=pwhistory,cn=users,cn=policies,$ldap_base" \
  --set pwQualityCheck=TRUE

root@master10:~# udm users/user create --set username=user1 \
                                --set lastname=name1 --set password=chocolate
Password policy error: Es basiert auf einem Wörterbucheintrag

root@master10:~# ucr search --brief version/.*
repository/mirror/version/end: <empty>
repository/mirror/version/start: <empty>
version/erratalevel: 0
version/patchlevel: 0
version/releasename: Neustadt
version/version: 4.3

Comment 4 Stefan Gohmann

2018-02-16 13:40:40 CET

The test case still fails:
http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/AutotestJoin/69/SambaVersion=no-samba,Systemrolle=master/testReport/60_umc/105_change_expired_password_fail_reason/test/

Can you adjust the test case?

Comment 5 Arvid Requate

2018-02-26 10:43:36 CET

http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/AutotestJoin/SambaVersion=no-samba,Systemrolle=master/lastCompletedBuild/testReport/60_umc/105_change_expired_password_fail_reason/

Comment 6 Stefan Gohmann

2018-02-27 10:40:08 CET

Ok, works

Comment 7 Stefan Gohmann

2018-03-14 14:38:16 CET

UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".

Comment 8 Florian Best

2019-02-26 10:10:25 CET

This was not solved correctly, therefore we have now Bug #48684.