[Touch-packages] [Bug 2059049] Re: adduser allows no password when PAM's pwquality is restrictively set

Wed, 27 Mar 2024 01:25:41 -0700 

*** This bug is a duplicate of bug 2059048 ***
    https://bugs.launchpad.net/bugs/2059048

** This bug has been marked a duplicate of bug 2059048
   adduser allows no password when PAM's pwquality is restrictively set

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/2059049

Title:
  adduser allows no password when PAM's pwquality is restrictively set

Status in adduser package in Ubuntu:
  New

Bug description:
  If pam_pwqaulity is restrictively set a user can still be created by
  adduser without a password.

  e.g.,
  ```
  eslerm@mino:~$ cat /etc/pam.d/common-password |grep pwquality
  password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 
lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username 
enforce_for_root

  eslerm@mino:~$ sudo adduser bar
  info: Adding user `bar' ...
  info: Selecting UID/GID from range 1000 to 59999 ...
  info: Adding new group `bar' (1002) ...
  info: Adding new user `bar' (1002) with group `bar (1002)' ...
  info: Creating home directory `/home/bar' ...
  info: Copying files from `/etc/skel' ...
  New password:
  BAD PASSWORD: The password contains less than 1 digits
  New password:
  BAD PASSWORD: The password contains less than 1 digits
  New password:
  BAD PASSWORD: The password contains less than 1 digits
  passwd: Have exhausted maximum number of retries for service
  passwd: password unchanged
  Try again? [y/N] N
  Changing the user information for bar
  Enter the new value, or press ENTER for the default
      Full Name []:
      Room Number []:
      Work Phone []:
      Home Phone []:
      Other []:
  Is the information correct? [Y/n]
  info: Adding new user `bar' to supplemental / extra groups `users' ...
  info: Adding user `bar' to group `users' ...

  eslerm@mino:~$ sudo cat /etc/shadow|grep bar
  bar:!:19802:0:99999:7:::
  ```

  This was raised as an issue to the Security team. Foundations
  suggested to file a bug. This is possibly only a feature request. If
  this behavior is unexpected by the maintainers, it is likely a
  security issue. I am leaning towards this being a feature request and
  not marking the bug for Public/Private Security.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/2059049/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to