2013-03-24 06:35:38 |
Nobuto Murata |
description |
Even if libpam-cracklib installed, lightdm accepts too short password.
This might be a security issue because user can ignore password policy defined by root.
How to reproduce:
1. install libpam-cracklib
2. create "user1" with password "foo"
3. expire user1's password by root
$ sudo passwd -e user1
4. try to login as user1 on lightdm with password "foo"
5. get "You are required to change password" message
and be prompted to input new password
Expected results:
if you input too short password like "bar" in the box,
then lightdm rejects it and re-prompt to type stronger password.
Actual results:
if you input too short password like "bar" in the box twice,
then lightdm accept it and change password with too short one
although saying that "BAD PASSWORD: it is WAY too short" and "BAD PASSWORD: is too simple"
NOTE:
passwd command with user privilege, properly reject too short password like below:
$ passwd
(current) UNIX password: #<- type "foo
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
Changing password for user1.
ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: lightdm 1.4.0-0ubuntu4
ProcVersionSignature: Ubuntu 3.8.0-6.13-generic 3.8.0-rc7
Uname: Linux 3.8.0-6-generic x86_64
ApportVersion: 2.8-0ubuntu4
Architecture: amd64
CasperVersion: 1.330
Date: Sun Feb 17 16:26:19 2013
LightdmConfig:
[SeatDefaults]
user-session=ubuntu
greeter-session=unity-greeter
LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130217)
MarkForUpload: True
ProcEnviron:
TERM=linux
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install) |
Even if libpam-cracklib installed, lightdm accepts too short password.
This might be a security issue because user can ignore password policy defined by root.
How to reproduce:
1. install libpam-cracklib
2. create "user1" with password "foo"
3. expire user1's password by root
$ sudo passwd -e user1
4. try to login as user1 on lightdm with password "foo"
5. get "You are required to change password" message
and be prompted to input new password
Expected results:
if you input too short password like "bar" in the box,
then lightdm rejects it and re-prompt to type stronger password.
Actual results:
if you input too short password like "bar" in the box twice,
then lightdm accept it and change password with too short one
although saying that "BAD PASSWORD: it is WAY too short" and "BAD PASSWORD: is too simple"
WORKAROUND:
1. use other display manager like gdm
or
2. use pam modules which can reject a weak password even if changed by root
- libpam-passwdqc(universe) with "enforce=everyone"(default)
instead of libpam-cracklib(main)
- libpam-pwquality(universe) with "enforce_for_root" in quantal or higher
instead of libpam-cracklib(main)
- pam_pwhistory remember=N with "enforce_for_root"
instead of pam_unix remember=N
- (but no replacement of "reject_username" in pam_cracklib AFAIK)
NOTE:
passwd command with user privilege, properly reject too short password like below:
$ passwd
(current) UNIX password: #<- type "foo
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
Changing password for user1.
ProblemType: BugDistroRelease: Ubuntu 13.04
Package: lightdm 1.4.0-0ubuntu4
ProcVersionSignature: Ubuntu 3.8.0-6.13-generic 3.8.0-rc7
Uname: Linux 3.8.0-6-generic x86_64
ApportVersion: 2.8-0ubuntu4
Architecture: amd64
CasperVersion: 1.330
Date: Sun Feb 17 16:26:19 2013
LightdmConfig:
[SeatDefaults]
user-session=ubuntu
greeter-session=unity-greeter
LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130217)
MarkForUpload: True
ProcEnviron:
TERM=linux
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bashSourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install) |
|