lightdm accepts weak password although pam says BAD PASSWORD

Bug #1128226 reported by Nobuto Murata on 2013-02-17
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Undecided
Unassigned

Bug Description

Even if libpam-cracklib installed, lightdm accepts too short password.
This might be a security issue because user can ignore password policy defined by root.

How to reproduce:

 1. install libpam-cracklib
 2. create "user1" with password "foo"
 3. expire user1's password by root
    $ sudo passwd -e user1
 4. try to login as user1 on lightdm with password "foo"
 5. get "You are required to change password" message
    and be prompted to input new password

Expected results:
  if you input too short password like "bar" in the box,
  then lightdm rejects it and re-prompt to type stronger password.

Actual results:
  if you input too short password like "bar" in the box twice,
  then lightdm accept it and change password with too short one
  although saying that "BAD PASSWORD: it is WAY too short" and "BAD PASSWORD: is too simple"

WORKAROUND:
 1. use other display manager like gdm
 or
 2. use pam modules which can reject a weak password even if changed by root
    - libpam-passwdqc(universe) with "enforce=everyone"(default)
      instead of libpam-cracklib(main)
    - libpam-pwquality(universe) with "enforce_for_root" in quantal or higher
      instead of libpam-cracklib(main)
    - pam_pwhistory remember=N with "enforce_for_root"
      instead of pam_unix remember=N
    - (but no replacement of "reject_username" in pam_cracklib AFAIK)

NOTE:
 passwd command with user privilege, properly reject too short password like below:

 $ passwd
(current) UNIX password: #<- type "foo
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
Changing password for user1.

ProblemType: BugDistroRelease: Ubuntu 13.04
Package: lightdm 1.4.0-0ubuntu4
ProcVersionSignature: Ubuntu 3.8.0-6.13-generic 3.8.0-rc7
Uname: Linux 3.8.0-6-generic x86_64
ApportVersion: 2.8-0ubuntu4
Architecture: amd64
CasperVersion: 1.330
Date: Sun Feb 17 16:26:19 2013
LightdmConfig:
 [SeatDefaults]
 user-session=ubuntu
 greeter-session=unity-greeter
LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130217)
MarkForUpload: True
ProcEnviron:
 TERM=linux
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bashSourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)

Nobuto Murata (nobuto) wrote :
Nobuto Murata (nobuto) wrote :

There is no special/secret way to reproduce this, i.e. the procedure is quite normal.

I will mark this issue as public.

information type: Private Security → Public Security
Matt Fischer (mfisch) on 2013-02-18
Changed in lightdm (Ubuntu):
status: New → Triaged
Nobuto Murata (nobuto) wrote :

The easiest workaround is using other display manager like gdm. But a possible workaround is using libpam-passwdqc(universe) instead of libpam-cracklib(main). With "enforce=everyone"(default), it can reject a password which does not meet requirements even if changed by root.

But it cannot cover all requirement other pam modules have, e.g. "reject_username" in pam_cracklib and "remember=n" in pam_unix.

Nobuto Murata (nobuto) on 2013-03-24
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers