pam_cracklib 'minlen' option is misnamed and poorly explained

Hi Chris,

Have you read the pam_cracklib manpage? The 'minlen' option is unfortunately named, because it is /not/ a minimum acceptable password length, it's a minimum acceptable password *strength*. Because pam_cracklib assigns "credits" for use of each character class, using a mix of upper/lowercase letters, numbers, and symbols will cause pam_cracklib to see the password as "longer" than it really is.

If you are trying to set a hard minimum for password length, you can use the 'min=N' option to pam_unix itself, with or without pam_cracklib.

If this is not the problem you're having, then I'll have to take a second look. Your usage looks correct, but I haven't yet tested here to be sure it works the way I understand it's supposed to.

Thanks for the reply. Yes, I am trying to set a hard minimum password
length and I can verify that as of today (running an up-to-date
version of Hardy) setting the "min" option to 8 still allows me to
create users with a password length of 6. This was the same behavior
I saw on Gutsy as well.

Thank you for taking a look at this.

Chris Bozic

On Wed, Jul 30, 2008 at 3:55 AM, Steve Langasek
<email address hidden> wrote:
> Hi Chris,
>
> Have you read the pam_cracklib manpage? The 'minlen' option is
> unfortunately named, because it is /not/ a minimum acceptable password
> length, it's a minimum acceptable password *strength*. Because
> pam_cracklib assigns "credits" for use of each character class, using a
> mix of upper/lowercase letters, numbers, and symbols will cause
> pam_cracklib to see the password as "longer" than it really is.
>
> If you are trying to set a hard minimum for password length, you can use
> the 'min=N' option to pam_unix itself, with or without pam_cracklib.
>
> If this is not the problem you're having, then I'll have to take a
> second look. Your usage looks correct, but I haven't yet tested here to
> be sure it works the way I understand it's supposed to.
>
> ** Changed in: pam (Ubuntu)
> Importance: Undecided => Medium
>
> --
> changes to /etc/pam.d/common-password with cracklib don't work
> https://bugs.launchpad.net/bugs/139999
> You received this bug notification because you are a direct subscriber
> of the bug.
>

To set a hard minimum password length, please use the 'min' option to pam_unix instead. The 'minlen' option to pam_cracklib doesn't do what the name suggests it should do.

I'm confirming this as a documentation bug; the pam_cracklib documentation needs to be made a lot clearer about this.

Ok, just to be clear, this is NOT just a documentation bug. As I have said above (although not very clearly), the "min" option to pam_unix does not work. I can have it set to 8 and still add new users with 6 character passwords. While I do agree with you that the "minlen" option to pam_cracklib is confusing and needs better documentation, there still seems to be a bug in the code of pam_unix that prevents the "min" option from working. I have seen this behavior on both Hardy and Gutsy.

Thanks again for your attention to this.

Chris Bozic

On Thu, Jul 31, 2008 at 12:48:18PM -0000, Chris Bozic wrote:
> Ok, just to be clear, this is NOT just a documentation bug. As I have
> said above (although not very clearly), the "min" option to pam_unix
> does not work. I can have it set to 8 and still add new users with 6
> character passwords. While I do agree with you that the "minlen" option
> to pam_cracklib is confusing and needs better documentation, there still
> seems to be a bug in the code of pam_unix that prevents the "min" option
> from working. I have seen this behavior on both Hardy and Gutsy.

Oh - sorry, which version of Ubuntu are you running? I know that pam_unix's
'min' option is broken in versions prior to 0.99.7.1-4, which would affect
Ubuntu 7.04 and earlier. That bug is definitely fixed for Ubuntu 7.10 and
8.04 LTS, however.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

I can not get the min option to work in either 7.10 or 8.04.

Sent from my iPhone.

On Jul 31, 2008, at 1:19 PM, Steve Langasek <<email address hidden>
 > wrote:

> On Thu, Jul 31, 2008 at 12:48:18PM -0000, Chris Bozic wrote:
>> Ok, just to be clear, this is NOT just a documentation bug. As I
>> have
>> said above (although not very clearly), the "min" option to pam_unix
>> does not work. I can have it set to 8 and still add new users with 6
>> character passwords. While I do agree with you that the "minlen"
>> option
>> to pam_cracklib is confusing and needs better documentation, there
>> still
>> seems to be a bug in the code of pam_unix that prevents the "min"
>> option
>> from working. I have seen this behavior on both Hardy and Gutsy.
>
> Oh - sorry, which version of Ubuntu are you running? I know that
> pam_unix's
> 'min' option is broken in versions prior to 0.99.7.1-4, which would
> affect
> Ubuntu 7.04 and earlier. That bug is definitely fixed for Ubuntu
> 7.10 and
> 8.04 LTS, however.
>
> --
> Steve Langasek Give me a lever long enough and a
> Free OS
> Debian Developer to set it on, and I can move the
> world.
> Ubuntu Developer http://www.debian.org/
> <email address hidden> <email address hidden>
>
> --
> pam_cracklib 'minlen' option is misnamed and poorly explained
> https://bugs.launchpad.net/bugs/139999
> You received this bug notification because you are a direct subscriber
> of the bug.

On Thu, Jul 31, 2008 at 05:46:01PM -0000, Chris Bozic wrote:
> I can not get the min option to work in either 7.10 or 8.04.

Please forward the complete contents of your /etc/pam.d/common-password and
/etc/pam.d/passwd files, since I'm unable to reproduce this.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Please do not reset the state of 'triaged' bugs without explanation.