258535 – Not having a NUMBER in min position N3 of pam_passwdqc.so configuration causes in valid password size

Bug 258535 - Not having a NUMBER in min position N3 of pam_passwdqc.so configuration causes in valid password size

Summary: Not having a NUMBER in min position N3 of pam_passwdqc.so configuration cause...

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	conf (show other bugs)
Version:	12.2-STABLE
Hardware:	amd64 Any

Importance:	--- Affects Many People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-09-16 14:57 UTC by jeff.lanzarotta
Modified:	2021-09-16 14:57 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jeff.lanzarotta 2021-09-16 14:57:36 UTC

When configuring PAM with the following line:

----
password requisite pam_passwdqc.so min=disabled,disabled,disabled,disabled,8 max=40 similar=deny retry=3 random=0 ask_oldauthtok enforce=everyone
----

and a change to a password is requested, the the following message is displayed:

----
You can now choose the new password.
A valid password should be a mix of upper and lower case letters,
digits and other characters.  You can use a 2147483647 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes.  Characters that form a common pattern are discarded by
the check.
Enter new password:
----

In my opinion, having a 2147483647 character long password is a bit ridiculous.  When pam_passwdqc.so encounters the word "disabled" it looks like it converted to MAX_INT.  Is there a better "default" character length that could be displayed?