** Description changed: Even if libpam-cracklib installed, lightdm accepts too short password. This might be a security issue because user can ignore password policy defined by root. How to reproduce: - 1. install libpam-cracklib - 2. create "user1" with password "foo" - 3. expire user1's password by root - $ sudo passwd -e user1 - 4. try to login as user1 on lightdm with password "foo" - 5. get "You are required to change password" message - and be prompted to input new password + 1. install libpam-cracklib + 2. create "user1" with password "foo" + 3. expire user1's password by root + $ sudo passwd -e user1 + 4. try to login as user1 on lightdm with password "foo" + 5. get "You are required to change password" message + and be prompted to input new password Expected results: - if you input too short password like "bar" in the box, - then lightdm rejects it and re-prompt to type stronger password. + if you input too short password like "bar" in the box, + then lightdm rejects it and re-prompt to type stronger password. Actual results: - if you input too short password like "bar" in the box twice, - then lightdm accept it and change password with too short one - although saying that "BAD PASSWORD: it is WAY too short" and "BAD PASSWORD: is too simple" + if you input too short password like "bar" in the box twice, + then lightdm accept it and change password with too short one + although saying that "BAD PASSWORD: it is WAY too short" and "BAD PASSWORD: is too simple" + WORKAROUND: + 1. use other display manager like gdm + or + 2. use pam modules which can reject a weak password even if changed by root + - libpam-passwdqc(universe) with "enforce=everyone"(default) + instead of libpam-cracklib(main) + - libpam-pwquality(universe) with "enforce_for_root" in quantal or higher + instead of libpam-cracklib(main) + - pam_pwhistory remember=N with "enforce_for_root" + instead of pam_unix remember=N + - (but no replacement of "reject_username" in pam_cracklib AFAIK) NOTE: - passwd command with user privilege, properly reject too short password like below: + passwd command with user privilege, properly reject too short password like below: - $ passwd + $ passwd (current) UNIX password: #<- type "foo New password: #<- type "bar" BAD PASSWORD: it is WAY too short New password: #<- type "bar" BAD PASSWORD: it is WAY too short New password: #<- type "bar" BAD PASSWORD: it is WAY too short passwd: Have exhausted maximum number of retries for service passwd: password unchanged Changing password for user1. - ProblemType: Bug - DistroRelease: Ubuntu 13.04 + ProblemType: BugDistroRelease: Ubuntu 13.04 Package: lightdm 1.4.0-0ubuntu4 ProcVersionSignature: Ubuntu 3.8.0-6.13-generic 3.8.0-rc7 Uname: Linux 3.8.0-6-generic x86_64 ApportVersion: 2.8-0ubuntu4 Architecture: amd64 CasperVersion: 1.330 Date: Sun Feb 17 16:26:19 2013 LightdmConfig: - [SeatDefaults] - user-session=ubuntu - greeter-session=unity-greeter + [SeatDefaults] + user-session=ubuntu + greeter-session=unity-greeter LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130217) MarkForUpload: True ProcEnviron: - TERM=linux - PATH=(custom, no user) - XDG_RUNTIME_DIR=<set> - LANG=en_US.UTF-8 - SHELL=/bin/bash - SourcePackage: lightdm + TERM=linux + PATH=(custom, no user) + XDG_RUNTIME_DIR=<set> + LANG=en_US.UTF-8 + SHELL=/bin/bashSourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1128226 Title: lightdm accepts weak password although pam says BAD PASSWORD To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1128226/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs