Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1191842 - unable to continue the installation after type into a weak password
Summary: unable to continue the installation after type into a weak password
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: David Cantrell
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
: 1192147 1200968 1200999 1204374 (view as bug list)
Depends On:
Blocks: F22BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2015-02-12 06:02 UTC by lnie
Modified: 2015-04-06 18:48 UTC (History)
17 users (show)

Fixed In Version: python-blivet-1.0.6-1.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-06 18:48:33 UTC
Type: Bug
Embargoed:
dshea: needinfo-

Attachments (Terms of Use)
first screenshot (54.09 KB, image/png)
2015-02-12 06:02 UTC, lnie 		no flags Details
screenshot2 (44.32 KB, image/png)
2015-02-12 06:35 UTC, lnie 		no flags Details
screenshot3 (43.47 KB, image/png)
2015-02-12 06:36 UTC, lnie 		no flags Details
View All

Description lnie 2015-02-12 06:02:52 UTC 
Created attachment 990738 [details]
first screenshot

Description of problem:
As shown in the first screenshot,nothing happened after I push the"Done" button on the ROOT PASSWORD page, if I type into a" weak" password,which I think is not intended according to the last two screenshots. What's more,I think the password I gave is not so weak:1201107lnie.

Version-Release number of selected component (if applicable):
 
How reproducible:
always


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 lnie 2015-02-12 06:35:43 UTC 
Created attachment 990743 [details]
screenshot2
Comment 2 lnie 2015-02-12 06:36:24 UTC 
Created attachment 990744 [details]
screenshot3
Comment 3 David Shea 2015-02-12 11:57:51 UTC 
Anaconda no longer permits weak passwords in interactive installs.
Comment 4 David Shea 2015-02-12 18:07:50 UTC 
*** Bug 1192147 has been marked as a duplicate of this bug. ***
Comment 5 Martin Sivák 2015-02-17 13:01:47 UTC 
There is no way to configure what is considered a strong password in Anaconda. 

Anaconda should not dictate its own standards (when the "local" standards can be totally different). I can't accept an explanation that only tells me "sorry, no longer" without (at least) a link to where this was discussed with the community.

This will affect whole teams that need to repeatedly install Fedora to test and discard the machines couple of times per day (read: all virtualization teams).
Comment 6 David Shea 2015-02-17 14:33:41 UTC 
(In reply to Martin Sivák from comment #5)
> There is no way to configure what is considered a strong password in
> Anaconda.

The idea of what is or is not a good password is not really something appropriate for configuration.

> Anaconda should not dictate its own standards (when the "local" standards
> can be totally different).

Anaconda uses libpwquality to determine password quality, as the rest of Fedora's password utilities do, or at the very least should. https://fedorahosted.org/libpwquality/

> I can't accept an explanation that only tells me
> "sorry, no longer" without (at least) a link to where this was discussed
> with the community.

test.org and anaconda-devel-list

> This will affect whole teams that need to repeatedly install Fedora to test
> and discard the machines couple of times per day (read: all virtualization
> teams).

So pick a better password for your virtual machines.
Comment 7 David Shea 2015-02-17 14:42:11 UTC 
(In reply to Martin Sivák from comment #5)
> This will affect whole teams that need to repeatedly install Fedora to test
> and discard the machines couple of times per day (read: all virtualization
> teams).

Also, if you are installing and discarding Fedora machines several times a day, perhaps you should consider kickstart? The password quality check does not affect kickstart.
Comment 8 Martin Sivák 2015-02-17 15:14:31 UTC 
1) test.org and anaconda-devel-list

Seriously? What about fedora-devel? This affects the whole user base, discussing this only on "internal" development lists is definitely not enough.

2) The idea of what is or is not a good password is not really something appropriate for configuration.
 
I suppose you have never heard about OpenSCAP? http://www.open-scap.org/page/Main_Page

Vrata (vpodzime) actually wrote an Anaconda add-on that can do security configuration checks during installation. And that includes password complexity. This change prevents it from working properly.

3) Anaconda uses libpwquality to determine password quality, as the rest of Fedora's password utilities do, or at the very least should. https://fedorahosted.org/libpwquality/

passwd does not enforce the password strength by default. Nor does any other tool I know about. All only warn in the default configuration.

4) Also, if you are installing and discarding Fedora machines several times a day, perhaps you should consider kickstart? The password quality check does not affect kickstart.

Ever tried typing kickstart url on dumb serial console? Or in VNC without copy and paste support? Clicking through is faster..



There were very good reasons for not forcing the user to select a very strong password. And I am not aware of any other distribution that would do it either. But I haven't looked for some time.

People who want to try Fedora will be seriously annoyed by this. The same applies to developers and testers when this hits a release.

Just FYI, this is being discussed on FESCo level now:

https://fedorahosted.org/fesco/ticket/1412
Comment 9 Stephen Gallagher 2015-03-04 21:27:16 UTC 
Reopening this ticket.

At today's FESCo meeting, the following decision was made:
"FESCo would like anaconda to turn back on the "double-done" option for Fedora 22. Better solutions should be investigated for F23."

By "double-done", we are referring to the option to click Done a second time to accept an insufficiently-strict password.
Comment 10 David Shea 2015-03-11 18:13:59 UTC 
*** Bug 1200968 has been marked as a duplicate of this bug. ***
Comment 11 David Shea 2015-03-11 19:17:57 UTC 
*** Bug 1200999 has been marked as a duplicate of this bug. ***
Comment 12 Fedora Blocker Bugs Application 2015-03-11 19:19:35 UTC 
Proposed as a Blocker for 22-beta by Fedora user thozza using the blocker tracking app because:

 On today's FESCo meeting, we agreed to file a Beta blocker bug for anaconda for tracking due to https://fedorahosted.org/fesco/ticket/1412. Please refer to the meeting minutes log for more details:
http://meetbot.fedoraproject.org/fedora-meeting/2015-03-11/fesco.2015-03-11-18.01.txt
http://meetbot.fedoraproject.org/fedora-meeting/2015-03-11/fesco.2015-03-11-18.01.log.html
Comment 13 Dan Mossor [danofsatx] 2015-03-16 17:34:42 UTC 
Discussed at Fedora Blocker Review Meeting 2015-03-16[0]:

AcceptedBlocker for Beta: This bug was nominated by FESCo as a blocker[1], violating the Alpha release criterion[2]: "All bugs deemed by FESCo to block the milestone release must be fixed."

[0]: http://meetbot.fedoraproject.org/fedora-blocker-review/2015-03-16/f22-blocker-review.2015-03-16-16.01.log.txt
[1]: https://fedorahosted.org/fesco/ticket/1412
[2]: https://fedoraproject.org/wiki/Fedora_22_Alpha_Release_Criteria#FESCo_blocker_bugs
Comment 14 Brian Lane 2015-03-20 15:27:51 UTC 
Anaconda now has the ability to allow users to create a consistent policy for the various password entries during installation. The new kickstart %anaconda section and pwpolicy command implement this, as documented here - ​https://github.com/rhinstaller/anaconda/commit/8f24eeaedd7691b6ebe119592e5bc09c1c42e181

Products can implement their own policy by including a modified copy of ​https://github.com/rhinstaller/anaconda/blob/f22-branch/data/interactive-defaults.ks in their product.img -- drop it into /usr/share/anaconda/ and it will overwrite the default.

Currently you can adjust the policy for the root configuration spoke, the user spoke and the luks passphrase entry.
Comment 15 David Shea 2015-03-23 13:21:38 UTC 
*** Bug 1204374 has been marked as a duplicate of this bug. ***
Comment 16 Jaroslav Reznik 2015-03-30 14:01:34 UTC 
From 2015-03-25 FESCo meeting:
AGREED: In f22, default back to f21 anaconda password behavior, ask 

anaconda developers, fedora-release and releng folks to make this change happen before Beta freeze.

So FESCo still asks for change in the behaviour. Main question raised was how to implement this change for deliverables that do not use product.img.
Comment 17 Fedora Update System 2015-04-02 19:26:32 UTC 
python-blivet-1.0.6-1.fc22, anaconda-22.20.8-1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/python-blivet-1.0.6-1.fc22,anaconda-22.20.8-1.fc22
Comment 18 Fedora Update System 2015-04-04 16:32:30 UTC 
Package python-blivet-1.0.6-1.fc22, anaconda-22.20.8-1.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing python-blivet-1.0.6-1.fc22 anaconda-22.20.8-1.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5530/python-blivet-1.0.6-1.fc22,anaconda-22.20.8-1.fc22
then log in and leave karma (feedback).
Comment 19 Fedora Update System 2015-04-06 18:48:33 UTC 
python-blivet-1.0.6-1.fc22, anaconda-22.20.8-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.