Ubuntu
pam package

Small password should not log in

Bug #31969 reported by Lean Fuglsang on 2006-02-19

10

Affects		Status	Importance	Assigned to	Milestone
	pam (Ubuntu)	Confirmed	Wishlist	Rick Clark

Bug Description

There are some people in the security forum who gets hacked because they have enabled ssh, and have an easy guessable password.
What about not letting users be able to log in over ssh, when they have a small password?
This should mitigate the number one security problem, according to http://www.ubuntuforums.org/forumdisplay.php?f=7.

Revision history for this message

Dennis Kaarsemaker (dennis) wrote on 2006-02-19:

#1

Such a feature request should be discussed on something more visible than a bug report because it is quite invasive. Best is to write a spec for it to be discussed on the next Ubuntu conference.

Dennis Kaarsemaker (dennis-merged) on 2006-02-19

Changed in openssh:
status:	Unconfirmed → Rejected

Revision history for this message

Colin Watson (cjwatson) wrote on 2006-02-19:

#2

I disagree. A specification is arguably too heavyweight for this, and the bug can and should stay open in the meantime.

Changed in openssh:
status:	Rejected → Unconfirmed

Revision history for this message

Rick Clark (dendrobates) wrote on 2007-06-27:

#3

This should not be implemented at login time. That could cause a user to be locked out. This should be implemented durung a password change. Of course, root can and always should be able to avoid such restrictions.

Rick Clark (dendrobates) on 2007-06-27

Changed in pam:
assignee:	nobody → dendrobates
status:	New → Confirmed
status:	Confirmed → Triaged

Revision history for this message

Micah Cowan (micahcowan) wrote on 2007-06-27:

#4

Use PAM's cracklib module on the "passwd" command. That's what it's for.

On Ubuntu, should involve uncommenting the following line in /etc/pam.d/common-password:

# password required pam_cracklib.so retry=3 minlen=6 difok=3

Definitely not a ssh bug (ssh should not be in the business of locking users out because their password isn't great), so I'm going to close this out, unless someone can find (a) a reason this is a bug, and (b) a target for it (or assign to Ubuntu).

Revision history for this message

Micah Cowan (micahcowan) wrote on 2007-06-27:

#5

(nm, not closing, as it's assigned: I'll let Rick do it, if he chooses)

Revision history for this message

Rick Clark (dendrobates) wrote on 2007-06-27:

#6

Micah, I agree, I left it open as a wishlist item, to discuss whether we should enable cracklib by default, or give users an option at install time. I might close it later.

Rick

Rick Clark (dendrobates) on 2007-06-27

Changed in pam:
status:	Triaged → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.