Univention Bugzilla – Bug 24840
cracklib prüft nur die Wortliste "american-english"
Last modified: 2015-12-09 16:45:31 CET
Da auf einem minimal System nur die american-english Wortliste installiert wird, kann die cracklib keine z.B. deutschen Wörter prüfen, "passwort" als Passwort wird zugelassen. Die cracklib verwendete dabei die Liste aus "/var/cache/cracklib/", die bei der Installation eine Wortlisten Paket automatisch aktualisiert werden. Vermutlich ist es günstig das Paket dictionaries-common immer mitzubringen. Darin sind dann die Wortlisten für alle möglichen Sprachen.
Reported via #2014100121000155 It was sufficient at my test system to install "wngerman" - this installs /usr/share/dict/ngerman which was automatically appended in /var/cache/cracklib/src-dicts.
Request from customer: #2015110921000422 I really would recommend to ship at least an additional german dict. Otherwise e.g. eichhörnchen is a "quality" password.
I also guess no admin knows about it. That could probably the reason why it would rarely be noted.
* DVD task list modified: r65861 * add dependency on german wordlist to univention-pam: r65871 * YAML (r65874): 2015-11-24-univention-pam.yaml, no YAML for univention-dvd (right?) * univention-pam 9.0.0-2 built to errata4.1-0 * univention-dvd 1.0.0-17 built to errata4.1-0 * igerman98 (for binary package wngerman) and dictionaries-common built to errata4.1-0 --- I did rebuild the DVD, but the new univention-pam package was not used. * dtroeder@omar:~$ build-cd-ucs4.1-0 --keep-installer # ls -lh /var/univention/buildsystem2/isotests/*20151124-123658* --- After updating univention-pam cracklibs password index has grown from 91821 words to 424042 words: # grep german /var/cache/cracklib/src-dicts # file /var/cache/cracklib/cracklib_dict.pwi BTW: cracklib is currently not used when settings/changing passwords. But if it were, it'd now also check for germen words.
PS: I did NOT run (info from http://bygga.knut.univention.de/blog/?p=3802): * repo-apt-dependencies ... * announce ... as my guess is, that it's part of the announce job after the QA. Is that right?
r66061 | Bug #24840: univention-pam Rename to strip date. Fix spelling r66060 | Bug #24840: Force wngerman to maintained Add to ucs_4.1-0.txt trigger list to force package to maintained. RELEASE=4.1-0 SCOPE=errata${RELEASE} # '' ARCH=amd64 # i386 repo-apt-dependencies \ --release ${RELEASE} --arch ${ARCH} \ --dist /var/univention/buildsystem2/apt/ucs_${RELEASE}${SCOPE:+-$SCOPE} \ --contents /var/univention/buildsystem2/cd-contents/ucs_${RELEASE}_${ARCH}_dvd.txt \ --input ${HOME}/src/triggers/ucs_${RELEASE}.txt \ --binary /var/univention/buildsystem2/cd-contents/ucs_${RELEASE}_${ARCH}.bin \ --source /var/univention/buildsystem2/cd-contents/ucs_${RELEASE}_${ARCH}.src \ --closure /var/univention/buildsystem2/cd-contents/ucs_${RELEASE}_${ARCH}.maintained
OK - maintained list more /var/univention/buildsystem2/cd-contents/ucs_4.1-0_i386.maintained | grep wnger wngerman OK - installation/update apt-cache policy wngerman wngerman: Installiert: 20120607-1.21.201511241411 Installationskandidat: 20120607-1.21.201511241411 Versionstabelle: *** 20120607-1.21.201511241411 0 500 http://updates-test.software-univention.de/4.1/maintained/component/ 4.1-0-errata-test/all/ Packages OK - password change (denied for passwords such as passwort or eichhörnchen) OK - univention-pam.yaml
Advisory: igerman98.yaml
(In reply to Janek Walkenhorst from comment #8) > Advisory: igerman98.yaml -> YAML ok, Verified
<http://errata.software-univention.de/ucs/4.1/23.html> <http://errata.software-univention.de/ucs/4.1/28.html>