StarlingX

Sysadmin password changed with more than 3 consecutive letters/numbers and almost similar password, just adding one single char at the end.

Bug #1790986 reported by Fernando Hernandez Gonzalez
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Invalid
High
Paul-Emile Element

Bug Description

Sysadmin password changed with more than 3 consecutive letters/numbers and almost similar password, just adding one single char at the end.

The /etc/pam.d/common-password file configure the cluster password quality via the first non-comment line where difok=3 means new password must have at least three bytes that are not present in the old password, which is not happening.

Major Sev

Steps to Reproduce
------------------
Login to controller-0 using system admin user.
To change password quality configuration on the controller, edit /etc/pam.d/common-password.
The password quality validation is configured via the first non-comment line:
"password required pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug"

Change the minimum password length by changing the 'minlen' parameter to 9.
Change the minimum number of characters that must change between subseqent passwords by editing the "difok" parameter to 3.
Change least one uppercase character in the password by adding 'ucredit=-1'
Change the password on behalf a user. Sign on to "root" or "su" the "root" account. Type:
   $ sudo su
Make sure you are "root" by typing:
   $ whoami
Change the password on behalf a user by typing "passwd <user>"
Enter a password with 8 characters, 1 uppercase letter and 1 non-alphanumeric character.
Enter a password with 8 characters, none uppercase letter and 1 non-alphanumeric character.
Enter same old password and add characters until the length reach 9 characters, 1 uppercase letter and 1 non-alphanumeric character.

Expected Behavior
------------------
The system should get back with "BAD PASSWORD: saying you are using more than 3 bytes similar to the old password.

Actual Behavior
----------------
The system is allowing you to change the password with
e.g.
Madawa$ka1
MMMadawa$ka1
MMMMadawa$ka1
MMMMMadawa$ka1
MMMMMadawa$ka122222
MMMMMadawa$ka1222222

System Configuration
--------------------
Virtual Multi-node system

Tags: stx.security
Ken Young (kenyis)
Changed in starlingx:
status: New → Triaged
importance: Undecided → High
Ken Young (kenyis)
Changed in starlingx:
assignee: nobody → Paul-Emile Element (paul-emileelement)
Revision history for this message
Paul-Emile Element (paul-emileelement) wrote :

reproduced.

Revision history for this message
Paul-Emile Element (paul-emileelement) wrote :

This is not a defect.

When the root user sets (resets) a password for another user, the current password is not available for character comparison. All rules that require the cleartext version of the current password cannot be applied and will be skipped.

All rules that check the new password for strenght are applied, as they do not require the current password.

History comparison is also working in this case, as it compares (and stores) hashed versions of the passwords, not the cleartext versions. This can only detect exact matches.

When non-root users attempt to change their own password, the passwd command requires the user to enter their current password, making is available for comparison with the new one.

When the root user is changing the password for another user, the password command cannot require the current password, as the root user is not expected to know the passwords for other users.

Paul-Emile Element (paul-emileelement)
Changed in starlingx:
status: Triaged → Invalid
Ken Young (kenyis)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.