adduser allows no password when PAM's pwquality is restrictively set
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
adduser (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
If pam_pwqaulity is restrictively set a user can still be created by adduser without a password.
e.g.,
```
eslerm@mino:~$ cat /etc/pam.
password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root
eslerm@mino:~$ sudo adduser bar
info: Adding user `bar' ...
info: Selecting UID/GID from range 1000 to 59999 ...
info: Adding new group `bar' (1002) ...
info: Adding new user `bar' (1002) with group `bar (1002)' ...
info: Creating home directory `/home/bar' ...
info: Copying files from `/etc/skel' ...
New password:
BAD PASSWORD: The password contains less than 1 digits
New password:
BAD PASSWORD: The password contains less than 1 digits
New password:
BAD PASSWORD: The password contains less than 1 digits
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
Try again? [y/N] N
Changing the user information for bar
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
info: Adding new user `bar' to supplemental / extra groups `users' ...
info: Adding user `bar' to group `users' ...
eslerm@mino:~$ sudo cat /etc/shadow|grep bar
bar:!:19802:
```
This was raised as an issue to the Security team. Foundations suggested to file a bug. This is possibly only a feature request. If this behavior is unexpected by the maintainers, it is likely a security issue. I am leaning towards this being a feature request and not marking the bug for Public/Private Security.