First Last Prev Next    This bug is not in your last search results.
Bug 52057 - UMC PAM stack always uses pam_cracklib, even if password/quality/mspolicy = 'sufficient'
UMC PAM stack always uses pam_cracklib, even if password/quality/mspolicy = '...
Status: NEW
Product: UCS
Classification: Unclassified
Component: UMC - Change password
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
Depends on: 51994
Blocks:
  Show dependency treegraph
 
Reported: 2020-09-18 12:06 CEST by Arvid Requate
Modified: 2023-04-20 17:19 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): bitesize
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Suggested patch (1.22 KB, patch)
2020-09-18 12:07 CEST, Arvid Requate 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2020-09-18 12:06:08 CEST 
The UMC PAM stack contains pam_cracklib using the plain defaults (without any consideration of the password/quality/* UCR configuration).

Bug #51994 introduces the possibility to select MS standard password complexity criteria for password changes. If the UCR variable password/quality/mspolicy is set to 'sufficient', the cracklib tests should be skipped. If it's not skipped, then then passwords like "Aa12y2, which may conform to the MS complexity criteria will be rejected by pam_cracklib.

My attempt to classify the pam_cracklib call as 'optional' didn't help and removing the pam_cracklib call in the template (if password/quality/mspolicy == sufficient) results in "Errorcode 20", because the following call to pam_unix is done with "use_first_pass", which seems to create a memory management issue.

Since this is a corner case the use/risk seemed to high to do a larger change to the UMC PAM stack, but strictly speaking this is not correct for corner cases.
Comment 1 Arvid Requate univentionstaff 2020-09-18 12:07:19 CEST 
Created attachment 10497 [details]
Suggested patch
Comment 2 Philipp Hahn univentionstaff 2020-09-20 10:22:16 CEST 
The use of `use_authtok` on "pam_unix.so" looks wrong.
Also see Bug #30036 for more PAM issues.
First Last Prev Next    This bug is not in your last search results.