libpam-cracklib cannot find cracklib_dict.pwd after install

I saw this problem once, but afterwards was not able to reproduce it. It's a bug in cracklib2 rather than in pam; libpam-cracklib depends on cracklib-runtime, which should take care of setting this all up at install time. Hopefully someone who knows more about the cracklib package can debug this.

The bug may occur if no dictionary is installed at the system or update-cracklib has not been called at least once. The post-install script of cracklib-runtime should call update-cracklib for this purpose. Cracklib-runtime contains a cron.daily job that calls update-cracklib, but postinst should use it too.

On Tue, Oct 14, 2008 at 12:12:34PM -0000, Jan Dittberner wrote:
> The bug may occur if no dictionary is installed at the system or update-
> cracklib has not been called at least once. The post-install script of
> cracklib-runtime should call update-cracklib for this purpose. Cracklib-
> runtime contains a cron.daily job that calls update-cracklib, but
> postinst should use it too.

And this is supposed to happen, and from what I see, *usually* does:

if [ "$1" = "configure" -a -r /etc/cracklib/cracklib.conf ]; then
    /usr/sbin/update-cracklib > /dev/null
    [...]
fi

So I don't know what the error condition is - a missing
/etc/cracklib/cracklib.conf on upgrade?

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

You're right, update-cracklib is called in postinst. update-cracklib fails if /etc/cracklib/cracklib.conf doesn't exist:

if [ -r "/etc/cracklib/cracklib.conf" ]
then
    . /etc/cracklib/cracklib.conf
else
    echo Error: cannot read configuration file /etc/cracklib/cracklib.conf
    exit 1
fi

maybe this error was ignored by the postinst script in the version currently in Ubuntu. 2.8.13-1 (in Debian Sid) adds a set -e to postinst which should stop this wrong behavior. Another reason for this problem could be a missing dictionary (no dictionary package installed at the machine). The cracklib dictionary is built from the dictionaries installed and user dictionaries in /usr/local/share/dict /usr/local/dict by default.

Zin Slan, what does

  ls -l /usr/share/dict
  dpkg -l |grep /usr/share/dict

show you? How did you install this system?

$ ls -l /usr/share/dict
total 1825
-rw-r--r-- 1 root root 931467 2008-07-04 01:20 american-english
-rw-r--r-- 1 root root 929603 2008-07-04 01:20 british-english
-rw-r--r-- 1 root root 199 2008-06-04 10:18 README.select-wordlist
lrwxrwxrwx 1 root root 30 2008-10-03 12:38 words -> /etc/dictionaries-common/words
lrwxrwxrwx 1 root root 16 2008-10-03 12:43 words.pre-dictionaries-common -> american-english
$

$ dpkg -l |grep /usr/share/dict
$

I upgraded to Intrepid from Hardy using `update-manager -d`, then decided to install libpam-cracklib using `apt-get install libpam-cracklib`.

This bug was fixed in the package cracklib2 - 2.8.12-2ubuntu1

---------------
cracklib2 (2.8.12-2ubuntu1) intrepid; urgency=low

  * debian/update-cracklib: don't rely on [ -nt ] to return true when
    the second file is non-existent, since this fails under dash.
    LP: #278743.

 -- Steve Langasek <email address hidden> Wed, 15 Oct 2008 17:46:55 -0700

Hi Jan,

Since you're subscribed to this bug, I'll post the debdiff here rather than filing a new one in the Debian BTS, if that's ok with you. :) The problem is a subtle bashism in update-cracklib, and this patch fixes it for me.

On Thu, Oct 16, 2008 at 01:09:38AM -0000, Steve Langasek wrote:
> Hi Jan,
>
> Since you're subscribed to this bug, I'll post the debdiff here rather
> than filing a new one in the Debian BTS, if that's ok with you. :) The
> problem is a subtle bashism in update-cracklib, and this patch fixes it
> for me.

Thanks Steve,

I'll fix it in SVN. Should I try to get this fix into Lenny or is it not
worth the effort?

Regards
Jan

>
> ** Attachment added: "cracklib2-278743.debdiff"
> http://launchpadlibrarian.net/18591357/cracklib2-278743.debdiff
>
> --
> libpam-cracklib cannot find cracklib_dict.pwd after install
> https://bugs.launchpad.net/bugs/278743
> You received this bug notification because you are a direct subscriber
> of the bug.

On Thu, Oct 16, 2008 at 07:00:40AM -0000, Jan Dittberner wrote:
> On Thu, Oct 16, 2008 at 01:09:38AM -0000, Steve Langasek wrote:

> > Since you're subscribed to this bug, I'll post the debdiff here rather
> > than filing a new one in the Debian BTS, if that's ok with you. :) The
> > problem is a subtle bashism in update-cracklib, and this patch fixes it
> > for me.

> Thanks Steve,

> I'll fix it in SVN. Should I try to get this fix into Lenny or is it not
> worth the effort?

This is covered by a release goal (dash-as-bin-sh) for lenny, so I would
suggest trying to get it in, yes.

Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>