Ubuntu
lightdm package

lightdm accepts weak password although pam says BAD PASSWORD

Bug #1128226 reported by Nobuto Murata
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

Even if libpam-cracklib installed, lightdm accepts too short password.
This might be a security issue because user can ignore password policy defined by root.

How to reproduce:

 1. install libpam-cracklib
 2. create "user1" with password "foo"
 3. expire user1's password by root
    $ sudo passwd -e user1
 4. try to login as user1 on lightdm with password "foo"
 5. get "You are required to change password" message
    and be prompted to input new password

Expected results:
  if you input too short password like "bar" in the box,
  then lightdm rejects it and re-prompt to type stronger password.

Actual results:
  if you input too short password like "bar" in the box twice,
  then lightdm accept it and change password with too short one
  although saying that "BAD PASSWORD: it is WAY too short" and "BAD PASSWORD: is too simple"

WORKAROUND:
 1. use other display manager like gdm
 or
 2. use pam modules which can reject a weak password even if changed by root
    - libpam-passwdqc(universe) with "enforce=everyone"(default)
      instead of libpam-cracklib(main)
    - libpam-pwquality(universe) with "enforce_for_root" in quantal or higher
      instead of libpam-cracklib(main)
    - pam_pwhistory remember=N with "enforce_for_root"
      instead of pam_unix remember=N
    - (but no replacement of "reject_username" in pam_cracklib AFAIK)

NOTE:
 passwd command with user privilege, properly reject too short password like below:

 $ passwd
(current) UNIX password: #<- type "foo
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
Changing password for user1.

ProblemType: BugDistroRelease: Ubuntu 13.04
Package: lightdm 1.4.0-0ubuntu4
ProcVersionSignature: Ubuntu 3.8.0-6.13-generic 3.8.0-rc7
Uname: Linux 3.8.0-6-generic x86_64
ApportVersion: 2.8-0ubuntu4
Architecture: amd64
CasperVersion: 1.330
Date: Sun Feb 17 16:26:19 2013
LightdmConfig:
 [SeatDefaults]
 user-session=ubuntu
 greeter-session=unity-greeter
LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130217)
MarkForUpload: True
ProcEnviron:
 TERM=linux
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bashSourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Nobuto Murata (nobuto) wrote :
Revision history for this message
Nobuto Murata (nobuto) wrote :

There is no special/secret way to reproduce this, i.e. the procedure is quite normal.

I will mark this issue as public.

information type: Private Security → Public Security
Matt Fischer (mfisch)
Changed in lightdm (Ubuntu):
status: New → Triaged
Revision history for this message
Nobuto Murata (nobuto) wrote :

The easiest workaround is using other display manager like gdm. But a possible workaround is using libpam-passwdqc(universe) instead of libpam-cracklib(main). With "enforce=everyone"(default), it can reject a password which does not meet requirements even if changed by root.

But it cannot cover all requirement other pam modules have, e.g. "reject_username" in pam_cracklib and "remember=n" in pam_unix.

Nobuto Murata (nobuto)
description: updated
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.