Bug 24840 - cracklib prüft nur die Wortliste "american-english"
cracklib prüft nur die Wortliste "american-english"
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Password changes
UCS 4.1
Other Linux
: P5 critical (vote)
: UCS 4.1-0-errata
Assigned To: Daniel Tröder
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-23 15:27 CET by Felix Botner
Modified: 2015-12-09 16:45 CET (History)
6 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2011-11-23 15:27:18 CET
Da auf einem minimal System nur die american-english Wortliste installiert wird, kann die cracklib keine z.B. deutschen Wörter prüfen, "passwort" als Passwort wird zugelassen.

Die cracklib verwendete dabei die Liste aus "/var/cache/cracklib/", die bei der Installation eine Wortlisten Paket automatisch aktualisiert werden. Vermutlich ist es günstig das Paket dictionaries-common immer mitzubringen. Darin sind dann die Wortlisten für alle möglichen Sprachen.
Comment 1 Tim Petersen univentionstaff 2014-10-01 09:38:08 CEST
Reported via #2014100121000155

It was sufficient at my test system to install "wngerman" - this installs /usr/share/dict/ngerman which was automatically appended in /var/cache/cracklib/src-dicts.
Comment 2 Michel Smidt 2015-11-11 17:23:22 CET
Request from customer: #2015110921000422

I really would recommend to ship at least an additional german dict.
Otherwise e.g. eichhörnchen is a "quality" password.
Comment 3 Michel Smidt 2015-11-12 10:47:20 CET
I also guess no admin knows about it. That could probably the reason why it would rarely be noted.
Comment 4 Daniel Tröder univentionstaff 2015-11-24 14:27:55 CET
* DVD task list modified: r65861
* add dependency on german wordlist to univention-pam: r65871
* YAML (r65874): 2015-11-24-univention-pam.yaml, no YAML for univention-dvd (right?)

* univention-pam 9.0.0-2 built to errata4.1-0
* univention-dvd 1.0.0-17 built to errata4.1-0
* igerman98 (for binary package wngerman) and dictionaries-common built to errata4.1-0

---
I did rebuild the DVD, but the new univention-pam package was not used.
* dtroeder@omar:~$ build-cd-ucs4.1-0 --keep-installer
# ls -lh /var/univention/buildsystem2/isotests/*20151124-123658*
---

After updating univention-pam cracklibs password index has grown from 91821 words to 424042 words:
# grep german /var/cache/cracklib/src-dicts
# file /var/cache/cracklib/cracklib_dict.pwi


BTW: cracklib is currently not used when settings/changing passwords. But if it were, it'd now also check for germen words.
Comment 5 Daniel Tröder univentionstaff 2015-11-24 14:30:30 CET
PS: I did NOT run (info from http://bygga.knut.univention.de/blog/?p=3802):
* repo-apt-dependencies ...
* announce ...
as my guess is, that it's part of the announce job after the QA. Is that right?
Comment 6 Philipp Hahn univentionstaff 2015-12-02 13:10:49 CET
r66061 | Bug #24840: univention-pam
 Rename to strip date.
 Fix spelling

r66060 | Bug #24840: Force wngerman to maintained
 Add to ucs_4.1-0.txt trigger list to force package to maintained.

RELEASE=4.1-0
SCOPE=errata${RELEASE} # ''
ARCH=amd64 # i386
repo-apt-dependencies \
--release ${RELEASE} --arch ${ARCH} \
--dist /var/univention/buildsystem2/apt/ucs_${RELEASE}${SCOPE:+-$SCOPE} \
--contents /var/univention/buildsystem2/cd-contents/ucs_${RELEASE}_${ARCH}_dvd.txt \
--input ${HOME}/src/triggers/ucs_${RELEASE}.txt \
--binary /var/univention/buildsystem2/cd-contents/ucs_${RELEASE}_${ARCH}.bin \
--source /var/univention/buildsystem2/cd-contents/ucs_${RELEASE}_${ARCH}.src \
--closure /var/univention/buildsystem2/cd-contents/ucs_${RELEASE}_${ARCH}.maintained
Comment 7 Felix Botner univentionstaff 2015-12-07 16:27:18 CET
OK - maintained list

more /var/univention/buildsystem2/cd-contents/ucs_4.1-0_i386.maintained | grep wnger
wngerman

OK - installation/update

apt-cache policy wngerman
wngerman:
  Installiert:           20120607-1.21.201511241411
  Installationskandidat: 20120607-1.21.201511241411
  Versionstabelle:
 *** 20120607-1.21.201511241411 0
        500 http://updates-test.software-univention.de/4.1/maintained/component/ 4.1-0-errata-test/all/ Packages

OK - password change (denied for passwords such as passwort or eichhörnchen)

OK - univention-pam.yaml
Comment 8 Janek Walkenhorst univentionstaff 2015-12-09 16:39:28 CET
Advisory: igerman98.yaml
Comment 9 Erik Damrose univentionstaff 2015-12-09 16:40:09 CET
(In reply to Janek Walkenhorst from comment #8)
> Advisory: igerman98.yaml

-> YAML ok, Verified