Package: libpam-passwdqc
Version: 2.0.2-1+b1
Severity: normal
X-Debbugs-Cc: [email protected]

Hey,

passwdqc enforces its rules for root user invocations even when configured to
`enforce=users`. This applies specifically to `chpasswd` command. `passwd`
warns of the weak password but doesn't fail as documented in passwdqc.conf(5):

    $ chpasswd > /dev/null
    user1:weak
    Weak password: too short.
    Weak password: too short.
    Weak password: too short.
    chpasswd: (user user1) pam_chauthtok() failed, error:
    Authentication token manipulation error
    chpasswd: (line 1, user user1) password not changed
    $ echo $?
    1

    $ passwd user1 > /dev/null
    Enter new password:
    Weak password: too short.
    Re-type new password:
    passwd: password updated successfully
    $ echo $?
    0

Relevant pam configuration used:

    $ cat /etc/pam.d/chpasswd
    # The PAM configuration file for the Shadow 'chpasswd' service
    #

    @include common-password

    $ cat /etc/pam.d/passwd
    #
    # The PAM configuration file for the Shadow `passwd' service
    #

    @include common-password

    $ grep ^password /etc/pam.d/common-password
    password    requisite                       pam_passwdqc.so enforce=users
    password    [success=1 default=ignore]      pam_unix.so obscure use_authtok 
try_first_pass yescrypt
    password    requisite                       pam_deny.so
    password    required                        pam_permit.so

This might be caused by `chpasswd` interpreting passwdqc warnings written to
STDERR as failures.

Cheers,
Juho Kuisma

-- System Information:
Debian Release: 12.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.UTF-8), LANGUAGE=en_GB.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-passwdqc depends on:
ii  libc6           2.36-9
ii  libcrypt1       1:4.4.33-2
ii  libpam-runtime  1.5.2-6
ii  libpam0g        1.5.2-6
ii  libpasswdqc1    2.0.2-1+b1

Versions of packages libpam-passwdqc recommends:
ii  passwdqc  2.0.2-1+b1

libpam-passwdqc suggests no packages.

-- no debconf information

Reply via email to