Package: libpam-cracklib Version: 1.1.1-2 Severity: normal $ sudo passwd testuser Password: Retype new password: Sorry, passwords do not match. Password: BAD PASSWORD: it is too short BAD PASSWORD: is too simple Retype new password: passwd: password updated successfully
I expected to be forced to enter a new password rather than having passwd accept the weak password 'hello'. Here's my configuration, from /etc/pam.d/common-passwd: # here are the per-package modules (the "Primary" block) password requisite pam_cracklib.so retry=3 difok=4 minlen=10 password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 remember=6 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) password optional pam_smbpass.so nullok use_authtok use_first_pass I don't recall modifying any of the control values, so they came from pam-auth-update's logic. The 'requisite' value for cracklib would presumably cause password changing to abort immediately if cracklib did indeed indicate failure, so I guess it's cracklib that is not correctly doing that. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (530, 'testing'), (520, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
