[Bug 535617] New: settings in local security/password are not applied
http://bugzilla.novell.com/show_bug.cgi?id=535617 Summary: settings in local security/password are not applied Classification: openSUSE Product: openSUSE 11.2 Version: Milestone 6 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: urwald@gmx-topmail.de QAContact: jsrain@novell.com Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; es-ES; rv:1.9.1.2) Gecko/20090730 SUSE/3.5.2-2.4 Firefox/3.5.2 Go to yast/security/local security/password settings There, you can change the requiered minimum length of passwords. However, this option is not applied. When you set the min length to 3 and than change the password on the console with passwd-command to abcd, which has 4 letters, then the cange is refused. Same, when you set min length to 0. Also, when you disable testing in YaST completly, this is not applied. Reproducible: Always -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
shuang qiu
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c1
--- Comment #1 from Tim Fechtner
http://bugzilla.novell.com/show_bug.cgi?id=535617
User jsuchome@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c2
Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c3
Tim Fechtner
http://bugzilla.novell.com/show_bug.cgi?id=535617
User jsuchome@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c4
Jiří Suchomel
Hm, actually I've set the min length through YaST to 4, and the result is:
password: minlen=4
However, when I enter a password with 5 letters, I get an error that the password is too short:
Michael, can you comment this?
Furthermore, after boot, by default the checkbox "check new passwords" is diabled in YaST (what would be quite bad when it would have any effect - but it hasn't any effect, passwords are checked nevertheless).
If "check new passwords" is checked, it means that additional cracklib tests will be used, not that there won't be checkes at all. I hope you mean the first boot, not that the settings is changed back to deault after next boot...
Furthermore, there seems to be no possibility to disable simplicity check (as at least the checkbox "check new passwords" hasn't any effect, and an extra checkbox is no longer available).
Hm, true, this is a bug in YaST. Workaround is: first change the minimum length to 5, than uncheck the checkbox.... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User mc@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c5
Michael Calmer
(In reply to comment #3)
Hm, actually I've set the min length through YaST to 4, and the result is:
password: minlen=4
However, when I enter a password with 5 letters, I get an error that the password is too short:
Michael, can you comment this?
After looking into the code I found out that the absolute minimal length of a password is "5". All numbers entered below 5 will be set to 5. # define CO_MIN_LENGTH_BASE 5 opt->min_length = strtol(*argv+7,&ep,10); if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE)) opt->min_length = CO_MIN_LENGTH_BASE; Maybe the yast module should allow only numbers >= 5 here. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User jsuchome@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c6
Jiří Suchomel
(In reply to comment #4)
(In reply to comment #3)
Hm, actually I've set the min length through YaST to 4, and the result is:
password: minlen=4
However, when I enter a password with 5 letters, I get an error that the password is too short:
Michael, can you comment this?
After looking into the code I found out that the absolute minimal length of a password is "5". All numbers entered below 5 will be set to 5.
# define CO_MIN_LENGTH_BASE 5 opt->min_length = strtol(*argv+7,&ep,10); if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE)) opt->min_length = CO_MIN_LENGTH_BASE;
Maybe the yast module should allow only numbers >= 5 here.
Well, that would be possible, but isn't the code above actually a bug? Why couldn't user set the length to lower value? Anyway, user don't have to use YaST: # pam-config -a --cracklib # pam-config -a --cracklib-minlen=3 # pam-config -q --cracklib password: minlen=3 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c7
--- Comment #7 from Tim Fechtner
If "check new passwords" is checked, it means that additional cracklib tests will be used, not that there won't be checkes at all.
If this is the case, the UI is buggy: When I disable the checkbox "check new passwords", than the spinbox for "minimal password length" and the corresponding label get disabled. This behaviour gives the user to understand, that any check of password lenght is disabled now! -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c8
--- Comment #8 from Tim Fechtner
I hope you mean the first boot, not that the settings is changed back to deault after next boot... Yes, I mean the first boot. Changing is NOT changed to to default after next boot.
-- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c9
--- Comment #9 from Tim Fechtner
Hm, true, this is a bug in YaST. Workaround is: first change the minimum length to 5, than uncheck the checkbox....
Hm, so UI (see comment #7) could be correct, but because of a bug the disabling of all checks works only if min length was set to 5 before. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c10
--- Comment #10 from Tim Fechtner
After looking into the code I found out that the absolute minimal length of a password is "5". All numbers entered below 5 will be set to 5.
# define CO_MIN_LENGTH_BASE 5 opt->min_length = strtol(*argv+7,&ep,10); if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE)) opt->min_length = CO_MIN_LENGTH_BASE;
Maybe the yast module should allow only numbers >= 5 here.
No, I would say that this is a bug. YaST has allowed (in openSUSE 11.1 and befor) to set the password length to smaller values than 5 (including 0!) and disabled the password check. I use this feature quite often to be able to create users with an empty password. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User mc@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c11
--- Comment #11 from Michael Calmer
http://bugzilla.novell.com/show_bug.cgi?id=535617
User jsuchome@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c12
--- Comment #12 from Jiří Suchomel
Jiri: does yast support disabling of pam_cracklib?
Yes and no, there's a bug in it, see last part of comment 4, which is about disabling cracklib. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c13
--- Comment #13 from Tim Fechtner
It makes sense to check this also in pam-config.
3.) Enabling/disabling of password checks is buggy: It has an incorrect state after the installation and changes apply only if length was set to 5 befor. 4.) As described in comment #3 it is also not possible to use a password of the length of 5 characters (even if max_length is set to 5 in YaST before). Maybe the pam_cracklib requieres even 6 letters? In this case, issue 1 should requiere at least 6 letters. If not -> is this another issue? Should we split this bug into various? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User mc@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c14
Michael Calmer
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c15
--- Comment #15 from Tim Fechtner
Yes, please open one for me for "2." Done. Bug 539053 has been opened and assigned to you.
About 4.) It looks like a max_length do not exist in cracklib. Sorry, me error. Should read min_length. (Yes, that's really what I mean: Also when the min_length is set to "5", I am not able to set a password with 5 letters through the "passwd" command. It complains that the password is too short. With 6 letters, it works.) http://bugzilla.novell.com/show_bug.cgi?id=539053
-- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c16
--- Comment #16 from Tim Fechtner
http://bugzilla.novell.com/show_bug.cgi?id=535617
User mc@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c17
Michael Calmer
So there stay the following issues:
1.) The spinbox in YaST allows min_length=0. But the spinbox should not allow number < 5 (simple UI issue)
Well, maybe we should not change this now. See comments below.
3.) As described in comment #3 it is also not possible to set a password of the length of 5 characters with the "passwd" command (even if min_length is set to 5 in YaST before). Maybe the pam_cracklib requieres even 6 letters? In this case, issue 1 (and bug 539053) should requiere at least 6 letters. If not -> is this another issue?
I had a deep look into the code. The following happens: pam_cracklib calls first cracklib library FascistCheck() to compare the new password against a dictionary. This function has a hard coded MINLEN of "6". Only if this function is passed, it calls its own strength checks where the "minlen" option come into play. I think I will discuss this with thorsten and maybe we decide to do some code changes in pam_cracklib. The problem is only, that we both are involved in other important projects now. Jiri: If you want to change "1.", than please check for number >= 6 . Or wait some weeks. Maybe we can provide other options. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User jsuchome@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c18
Jiří Suchomel
Jiri: If you want to change "1.", than please check for number >= 6 . Or wait some weeks. Maybe we can provide other options.
I'll wait with any changes in YaST until this is clarified. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User kukuk@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c19
--- Comment #19 from Thorsten Kukuk
http://bugzilla.novell.com/show_bug.cgi?id=535617
User jsuchome@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c20
--- Comment #20 from Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=535617
User jsuchome@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c21
Jiří Suchomel
I think pam_cracklib needs to be fixed, need to discuss that upstream. The check doesn't make sense for me.
Please, tell me when pam_cracklib is fixed and when I should adapt YaST -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User kukuk@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c22
Thorsten Kukuk
http://bugzilla.novell.com/show_bug.cgi?id=535617
User coolo@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c24
Stephan Kulow
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c25
--- Comment #25 from Tim Fechtner
After reading all the documentation, we should remove the min length option from YaST2. Hm, I think that it is a valid usecase that a user wants to have shorter (or even empty) passwords. And YaST2 should continue to support that (if YaST2 doesn't support it, the thing is quiete complicate)! At lest me I need accounts without passwords.
I guess this never worked It worked always - until openSUSE 11.2.
and about no one noticed. Well, _I_ have noticed... ;-)
-- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User kukuk@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c26
--- Comment #26 from Thorsten Kukuk
After reading all the documentation, we should remove the min length option from YaST2. Hm, I think that it is a valid usecase that a user wants to have shorter (or even empty) passwords.
Correct. But in that case, you don't want to use pam_cracklib. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
User urwald@gmx-topmail.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=535617#c27
--- Comment #27 from Tim Fechtner
Correct. But in that case, you don't want to use pam_cracklib.
That means that it will (still) be possible to deactivate the hole password checking (pam_cracklib)? That would be fine! (Another question is if users want to _raise_ the length of password to a higher lever. However, me personally I've never done this...) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c28
--- Comment #28 from Michael Calmer
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c31
--- Comment #31 from Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c32
--- Comment #32 from Thorsten Kukuk
I vote for user manual, than there are man pages...
????? Michael Calmer wrote that the text is from the manual page, he refered even to it. The question was, if we let the min length option in YaST2, if we can add this text to the help page of the YaST2 module, so that customers know for what the option is good and how it works. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c33
Jiří Suchomel
(In reply to comment #31)
I vote for user manual, than there are man pages...
?????
Michael Calmer wrote that the text is from the manual page, he refered even to it.
I mean, let's describe the behavior in user's manual, and for the expert options, we have a manual pages. What's the problem?
The question was, if we let the min length option in YaST2, if we can add this text to the help page of the YaST2 module, so that customers know for what the option is good and how it works.
If we exclude setting such option from YaST, I see no point in mentioning it in YaST help text. If we should include anything of current support in YaST, than please specify what. But if it is close to option 3 from Michael's comment 28, please create a feature request for it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c34
Thorsten Kukuk
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c35
--- Comment #35 from Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c
shuang qiu
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c36
Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c37
Michael Calmer
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c38
Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c39
--- Comment #39 from Tim Fechtner
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c40
--- Comment #40 from Jiří Suchomel
Reffering at the original bug report:
- Is there now a working way to disable the password checking? (Password with 0 letters)
Michael?
- Is the minimum value of the spinbox for password length set to 5?
Yes, however I don't know it this is correct value. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=535617
http://bugzilla.novell.com/show_bug.cgi?id=535617#c41
--- Comment #41 from Michael Calmer
participants (1)
-
bugzilla_noreply@novell.com