Bug 535617

Same in M7

Please call this in console:

pam-config -q --cracklib

What does it say?

Hm, actually I've set the min length through YaST to 4, and the result is:

password: minlen=4

However, when I enter a password with 5 letters, I get an error that the password is too short:

Changing password for <name>.
Contraseña anterior:
Nueva contraseña:
Vuelva a escribir la nueva contraseña:
CONTRASEÑA INCORRECTA: Es demasiado corta.
passwd: Error de manipulación del testigo de autenticación

Furthermore, after boot, by default the checkbox "check new passwords" is diabled in YaST (what would be quite bad when it would have any effect - but it hasn't any effect, passwords are checked nevertheless).

Furthermore, there seems to be no possibility to disable simplicity check (as at least the checkbox "check new passwords" hasn't any effect, and an extra checkbox is no longer available).

(In reply to comment #3)
> Hm, actually I've set the min length through YaST to 4, and the result is:
> 
> password: minlen=4
> 
> However, when I enter a password with 5 letters, I get an error that the
> password is too short:

Michael, can you comment this?


> Furthermore, after boot, by default the checkbox "check new passwords" is
> diabled in YaST (what would be quite bad when it would have any effect - but it
> hasn't any effect, passwords are checked nevertheless).

If "check new passwords" is checked, it means that additional cracklib tests will be used, not that there won't be checkes at all.

I hope you mean the first boot, not that the settings is changed back to deault after next boot...

> Furthermore, there seems to be no possibility to disable simplicity check (as
> at least the checkbox "check new passwords" hasn't any effect, and an extra
> checkbox is no longer available).

Hm, true, this is a bug in YaST. Workaround is: first change the minimum length to 5, than uncheck the checkbox....

(In reply to comment #4)
> (In reply to comment #3)
> > Hm, actually I've set the min length through YaST to 4, and the result is:
> > 
> > password: minlen=4
> > 
> > However, when I enter a password with 5 letters, I get an error that the
> > password is too short:
> 
> Michael, can you comment this?

After looking into the code I found out that the absolute minimal length of a password is "5". All numbers entered below 5 will be set to 5. 

# define CO_MIN_LENGTH_BASE 5
opt->min_length = strtol(*argv+7,&ep,10);
if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE))
   opt->min_length = CO_MIN_LENGTH_BASE;

Maybe the yast module should allow only numbers >= 5 here.

(In reply to comment #5)
> (In reply to comment #4)
> > (In reply to comment #3)
> > > Hm, actually I've set the min length through YaST to 4, and the result is:
> > > 
> > > password: minlen=4
> > > 
> > > However, when I enter a password with 5 letters, I get an error that the
> > > password is too short:
> > 
> > Michael, can you comment this?
> 
> After looking into the code I found out that the absolute minimal length of a
> password is "5". All numbers entered below 5 will be set to 5. 
> 
> # define CO_MIN_LENGTH_BASE 5
> opt->min_length = strtol(*argv+7,&ep,10);
> if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE))
>    opt->min_length = CO_MIN_LENGTH_BASE;
> 
> Maybe the yast module should allow only numbers >= 5 here.

Well, that would be possible, but isn't the code above actually a bug?

Why couldn't user set the length to lower value?

Anyway, user don't have to use YaST:

# pam-config -a --cracklib
# pam-config -a --cracklib-minlen=3
# pam-config -q --cracklib
password: minlen=3

(In reply to comment #4)
> If "check new passwords" is checked, it means that additional cracklib tests
> will be used, not that there won't be checkes at all.

If this is the case, the UI is buggy: When I disable the checkbox "check new passwords", than the spinbox for "minimal password length" and the corresponding label get disabled. This behaviour gives the user to understand, that any check of password lenght is disabled now!

(In reply to comment #4)
> I hope you mean the first boot, not that the settings is changed back to deault
> after next boot...
Yes, I mean the first boot. Changing is NOT changed to to default after next boot.

(In reply to comment #4)
> Hm, true, this is a bug in YaST. Workaround is: first change the minimum length
> to 5, than uncheck the checkbox....

Hm, so UI (see comment #7) could be correct, but because of a bug the disabling of all checks works only if min length was set to 5 before.

(In reply to comment #5)
> After looking into the code I found out that the absolute minimal length of a
> password is "5". All numbers entered below 5 will be set to 5. 
> 
> # define CO_MIN_LENGTH_BASE 5
> opt->min_length = strtol(*argv+7,&ep,10);
> if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE))
>    opt->min_length = CO_MIN_LENGTH_BASE;
> 
> Maybe the yast module should allow only numbers >= 5 here.

No, I would say that this is a bug. YaST has allowed (in openSUSE 11.1 and befor) to set the password length to smaller values than 5 (including 0!) and disabled the password check.

I use this feature quite often to be able to create users with an empty password.

Things changing. In the past we use pam_pwcheck for these things. Now we use the official pam_cracklib. This module allows only a minimal length of a password of 5 characters. 

It makes sense to check this also in pam-config.

If you want passwords with less characters, you should think about disabling pam_cracklib and all password checks.

Jiri: does yast support disabling of pam_cracklib?

(In reply to comment #11)

 
> Jiri: does yast support disabling of pam_cracklib?

Yes and no, there's a bug in it, see last part of comment 4, which is about disabling cracklib.

So there are these issues:

1.)
The spinbox in YaST allows min_length=0. But the spinbox should not allow number < 5 (simple UI issue)

2.)
> It makes sense to check this also in pam-config.

3.)
Enabling/disabling of password checks is buggy: It has an incorrect state after the installation and changes apply only if length was set to 5 befor.

4.)
As described in comment #3 it is also not possible to use a password of the length of 5 characters (even if max_length is set to 5 in YaST before). Maybe the pam_cracklib requieres even 6 letters? In this case, issue 1 should requiere at least 6 letters. If not -> is this another issue?

Should we split this bug into various?

Yes, please open one for me for "2."

About 4.) It looks like a max_length do not exist in cracklib.

(In reply to comment #14)
> Yes, please open one for me for "2."
Done. Bug 539053 has been opened and assigned to you.

> About 4.) It looks like a max_length do not exist in cracklib.
Sorry, me error. Should read min_length. (Yes, that's really what I mean: Also when the min_length is set to "5", I am not able to set a password with 5 letters through the "passwd" command. It complains that the password is too short. With 6 letters, it works.)

So there stay the following issues:

1.)
The spinbox in YaST allows min_length=0. But the spinbox should not allow number < 5 (simple UI issue)

2.)
Enabling/disabling of password checks is buggy: It has an incorrect state after the installation and changes apply only if length was set to 5 befor.

3.)
As described in comment #3 it is also not possible to set a password of the length of 5 characters with the "passwd" command (even if min_length is set to 5  in YaST before). Maybe the pam_cracklib requieres even 6 letters? In this case, issue 1 (and bug 539053) should requiere at least 6 letters. If not -> is this another issue?

(In reply to comment #16)
> So there stay the following issues:
> 
> 1.)
> The spinbox in YaST allows min_length=0. But the spinbox should not allow
> number < 5 (simple UI issue)

Well, maybe we should not change this now. See comments below.
 
> 3.)
> As described in comment #3 it is also not possible to set a password of the
> length of 5 characters with the "passwd" command (even if min_length is set to
> 5  in YaST before). Maybe the pam_cracklib requieres even 6 letters? In this
> case, issue 1 (and bug 539053) should requiere at least 6 letters. If not -> is
> this another issue?

I had a deep look into the code. The following happens:

pam_cracklib calls first cracklib library FascistCheck() to compare the new password against a dictionary. This function has a hard coded MINLEN of "6". 
Only if this function is passed, it calls its own strength checks where the "minlen" option come into play. 

I think I will discuss this with thorsten and maybe we decide to do some code changes in pam_cracklib. The problem is only, that we both are involved in other important projects now. 

Jiri: If you want to change "1.", than please check for number >= 6 . Or wait some weeks. Maybe we can provide other options.

(In reply to comment #17)

> Jiri: If you want to change "1.", than please check for number >= 6 . Or wait
> some weeks. Maybe we can provide other options.

I'll wait with any changes in YaST until this is clarified.

I think pam_cracklib needs to be fixed, need to discuss that upstream. The check doesn't make sense for me.

Ping, any news?
Does yast module need any change?

(In reply to comment #19)
> I think pam_cracklib needs to be fixed, need to discuss that upstream. The
> check doesn't make sense for me.

Please, tell me when pam_cracklib is fixed and when I should adapt YaST

After reading all the documentation, we should remove the min length option from YaST2.

I guess this never worked and about no one noticed. So I would not change that for 11.2 _now_ but for 11.3

> After reading all the documentation, we should remove the min length
> option from YaST2.
Hm, I think that it is a valid usecase that a user wants to have shorter (or even empty) passwords. And YaST2 should continue to support that (if YaST2 doesn't support it, the thing is quiete complicate)! At lest me I need accounts without passwords.

> I guess this never worked
It worked always - until openSUSE 11.2.

> and about no one noticed.
Well, _I_ have noticed... ;-)

(In reply to comment #25)
> > After reading all the documentation, we should remove the min length
> > option from YaST2.
> Hm, I think that it is a valid usecase that a user wants to have shorter (or
> even empty) passwords.

Correct. But in that case, you don't want to use pam_cracklib.

> Correct. But in that case, you don't want to use pam_cracklib.

That means that it will (still) be possible to deactivate the hole password checking (pam_cracklib)? That would be fine!

(Another question is if users want to _raise_ the length of password to a higher lever. However, me personally I've never done this...)

Jiri: for 11.3 I would suggest to pick one of the following option:

1) drop the minlen option in yast2-security
2) document how the minlen option of pam_cracklib is working. See 
    "man pam_cracklib" for this. (Short: the checked minlen is reduced by
    the number of different character classes which are used.
    real-minlength = minlength - count(characterclasses)
    (Only if the *credit options are not set)
3) Do 2), but additionally support the other options which are important in
   combination with minlen

   --cracklib-dcredit=<value>
   --cracklib-ucredit=<value>
   --cracklib-lcredit=<value>
   --cracklib-ocredit=<value>
   --cracklib-minclass=<value>

I vote for user manual, than there are man pages...

(In reply to comment #31)
> I vote for user manual, than there are man pages...

?????

Michael Calmer wrote that the text is from the manual page, he refered even to it.

The question was, if we let the min length option in YaST2, if we can add this text to the help page of the YaST2 module, so that customers know for what the option is good and how it works.

(In reply to comment #32)
> (In reply to comment #31)
> > I vote for user manual, than there are man pages...
> 
> ?????
>
> Michael Calmer wrote that the text is from the manual page, he refered even to
> it.

I mean, let's describe the behavior in user's manual, and for the expert options, we have a manual pages. What's the problem?

> The question was, if we let the min length option in YaST2, if we can add this
> text to the help page of the YaST2 module, so that customers know for what the
> option is good and how it works.

If we exclude setting such option from YaST, I see no point in mentioning it in YaST help text.

If we should include anything of current support in YaST, than please specify what. But if it is close to option 3 from Michael's comment 28, please create a feature request for it.

Sorry, parse error, I don't understand your problem.

There is a manual page, but nobody will look into the manual page for pam_cracklib, if he set the min length option in YaST2. Because nobody knows in which manual page he has to look. 
Is this so difficult?

Now you have three options to choose about, and one of the three options is, to document in the help page of the YaST module, for what the option is good.

I think every option in a YaST2 module should be mentioned in the help test of the YaST2 module, else the option is pretty useless for the customer.

We have found out, that current support for minlen that is offered by YaST is actually not working. So, the current one has to be removed from YaST anyway.

Now, we have the option to not configure minlen in YaST at all or configure only partially, or configure fully.

Michael raised a question, where should the correct way of usage be documented: I'm aswering, in user's manual and for the expert options we have the man pages. YaST is not documentation tool and it should only document what does it support: here you are right. The question is, what should YaST support. 

Again, if YaST should support this:

   --cracklib-dcredit=<value>
   --cracklib-ucredit=<value>
   --cracklib-lcredit=<value>
   --cracklib-ocredit=<value>
   --cracklib-minclass=<value>

please make a feature request.

Ouch. Now I start to understand, that the "2) document how the minlen option of pam_cracklib is working." really means, that current minlen option is working, but not the easy way user would expect. So "documenting" could really be in YaST help text and YaST hadling of current minlen could stay as it is.


Michael, could you propose an updated  help text  than?

I would suggest something like this:

minlen: The minimum acceptable size for the new password reduced by the number of different character classes(other, upper, lower and digit) used in the new password. See man pam_cracklib for a more detailed explanation.

Thanks, I added the help text to yast2-security-2.19.0.

I hope now we can close this bug.

Reffering at the original bug report:

- Is there now a working way to disable the password checking? (Password with 0 letters)

- Is the minimum value of the spinbox for password length set to 5?

(In reply to comment #39)
> Reffering at the original bug report:
> 
> - Is there now a working way to disable the password checking? (Password with 0
> letters)

Michael?

> - Is the minimum value of the spinbox for password length set to 5?

Yes, however I don't know it this is correct value.

Don't know if the yast module support this. 
Disable password checking can be done by removing the used pam module(s).

$> pam-config -d --pwcheck 
$> pam-config -d --cracklib

Depends on which modules you use. 

If pam_cracklib is used, the minimum password length is 6. This is a hardcoded value in cracklib.