First Last Prev Next    This bug is not in your last search results.
Bug 49039 - Password is not complex enough despite password policies are set to no-complexity
Password is not complex enough despite password policies are set to no-comple...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Change password
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-3-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
Depends on: 48684
Blocks: 49346 49239
  Show dependency treegraph
 
Reported: 2019-03-19 15:32 CET by Nico Stöckigt
Modified: 2019-04-25 11:02 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019031421000493
Bug group (optional): API change, Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2019-03-19 15:32:50 CET 
In the given UCS@school environment all pwd policies are configured to

  pwLength: 8
  pwQualityCheck: FALSE

  Password complexity: off
  Minimum password length: 8

but when changing the password (in this case via SelfService) the new password is rejected due to lack of complexity.

In the related Ticket there is a testing environment given to analyze further.
Comment 1 Nico Stöckigt univentionstaff 2019-03-19 15:34:56 CET 
Reinstalling a previous version is the only workaround yet known.
Comment 2 Florian Best univentionstaff 2019-03-19 15:46:07 CET 
In the erratum I basically only restored the behavior of UCS 4.2, AFAICS.

If we want to support non-complex passwords via UMC we should remove pam_cracklib completely from the UMC pam configuration.
I think pam_krb5 calls some cracklib code in non-samba and samba environments, which evaluates our policies.
pam_unix doesn't have enabled pam_cracklib anymore then.
Comment 3 Florian Best univentionstaff 2019-04-05 13:00:17 CEST 
pam_cracklib has been removed from the UMC pam configuration for password changes.
Therefore with pam_unix no password checks are performed anymore and for pam_krb5 it is required to have configured password policies.

univention-management-console.yaml
7271eadff981 | YAML Bug #49039

univention-management-console (10.0.6-23)
32b40a92f05f | Bug #49039: remove pam_cracklib from univention-management-console pam
Comment 4 Florian Best univentionstaff 2019-04-09 09:43:52 CEST 
Removing pam_cracklib is not possible as out pam stack depends on it, otherwise all error messages are broken.
Therefore I just restored the behavior prior to Bug #48684.

univention-management-console (10.0.6-24)
0f0fb2bc6fd9 | Bug ##49039: restore original pam_cracklib behavior (reverts Bug #48684).
Comment 5 Dirk Wiesenthal univentionstaff 2019-04-10 11:05:51 CEST 
OK, works.
Comment 6 Erik Damrose univentionstaff 2019-04-10 14:35:30 CEST 
<http://errata.software-univention.de/ucs/4.3/475.html>
First Last Prev Next    This bug is not in your last search results.