cracklib referenced in common-passwd but not installed by default

Thank you for taking the time to report this bug and help to improve Ubuntu.

The only reference to pam_cracklib in the stock /etc/pam.d/common-passwd is this:

 # password required pam_cracklib.so retry=3 minlen=6 difok=3

i.e., it's commented out.

So it appears that you've modified this file at some point?

(indeed, if you're using pam_ldap for password changes, you /must/ have modified this file, since pam_ldap is also neither used nor installed by default.)

Steve Langasek wrote:
> (indeed, if you're using pam_ldap for password changes, you /must/ have
> modified this file, since pam_ldap is also neither used nor installed by
> default.)
>

Hi Steve,

thanks for answering the report. I did install pam_ldap and, to adapt
the /etc/pam.d files, run
auth-client-config -p ldap_example -a
Seems like this removes the "#" from the cracklib reference, thanks for
pointing it out. If this is a bug at all, it is none in pam (besides the
useless error message). I think however the ldap_example profile should
be changed.
Sorry for the inconvenience and thanks for your answer and closing the
report.

regards,
    Hubert

ok, based on your comment that you think "the ldap_example profile should be changed", I'm opening a bug task on the auth-client-config package. I'm not sure whether there's any sense in fixing this before we simply revamp how PAM configuration is done, but it seems to be a valid request anyway. :)

Steve Langasek wrote:
> ok, based on your comment that you think "the ldap_example profile
> should be changed", I'm opening a bug task on the auth-client-config
> package. I'm not sure whether there's any sense in fixing this before
> we simply revamp how PAM configuration is done, but it seems to be a
> valid request anyway. :)
>
Hi Steve,,

are there plans to restructure PAM configuration?
I'm not too familiar with PAM, but I think its really the job of the
pam-ldap package to reconfigure the pam.d/* files via debconf. I don't
really see the point in having to use another tool (auth-client-config)
with profile support; integrating pam.d/* configuration into debconf
would also allow for a "clean" configuration during automatic
installations via e. g. preseeding (right now, I am using some
hand-written postinstall scripts).

Thanks a lot,
    Hubert

On Wed, Jul 30, 2008 at 07:28:14PM -0000, eichnerh wrote:
> are there plans to restructure PAM configuration?

Yes: https://wiki.ubuntu.com/PAMConfigFrameworkSpec

> I'm not too familiar with PAM, but I think its really the job of the
> pam-ldap package to reconfigure the pam.d/* files via debconf.

Indeed, but the code doesn't exist yet to support this. :)

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Well, the ldap_example profile is intended as an example. However, unlike in the acc-cracklib profile, there is no mention of requiring libpam-cracklib to actually use the profile. I have adjusted the comment accordingly and committed the change to bzr, and it will be included in the next update of auth-client-config.

Also, the auth-client-config tool is designed so administrators can deploy custom PAM/nss configurations easily, as there will always be a need for customized PAM configuration in certain environments. Currently some are using it as a stop gap while the PAM restructuring is being developed to achieve a better 'out-of-the-box' experience.

auth-client-config (0.9) intrepid; urgency=low

  * update acc-default kerberos_example so it works better with kerberos
    principals that have a local account with the same name. Thanks to
    Adam Sommer and Steve Langasek.
  * update ldap_example profile comments to mention that libpam-cracklib is
    required
  * update auth-client config to comment out sentinels required by Debian
    and Ubuntu's pam-auth-update (LP: #270328)
  * add tests for pam-auth-update specific tests