--with-cracklib (phase 2)
Pierre Belanger
pbelang1 at oss.cantel.rogers.com
Fri Jan 17 21:21:00 GMT 2003
Hi,
Here's what I've done so far:
- Added a simple API in cracklib for Samba, works great.
- Sent an email to Alec Muffett, author of cracklib asking
him if he can add this new API that doesn't use
"getuid() & getpwuid()".
- Sent an email to Chris Hoover, author of "npasswd" asking
him a few questions about his work and also if he could
add the new "API" in the npasswd's cracklib distribution.
Note: npasswd's cracklib is modified to do a much better
check (mangle). He added some code from "Crack"
which Alec never added in cracklib. npasswd's new
cracklib "API" does not use getuid / getpwuid which
is what we need but it doesn't check againts the
username & fullusername info. I think this is really
important.
Issues & questions:
- Will we ever see more work on cracklib, nothing changed
since 1997. We know we need to add an "API" that doesn't
use "getuid() / getpwuid()". If Alec and/or Chris don't
want to add an API that doesn't use the get{pw}uid(),
we can:
1- Add a patch to cracklib in a "contrib" directory, link
Samba with "libcrack.a"
2- Commit an API in "Samba", still link with "libcrack.a"
for the rest of the functionnalities.
3- Commit a "samba-cracklib" in SAMBA_X_Y , i.e. fully
integrate samba-cracklib in Samba (no more
fprintf(stderr,...), etc), when possible use Samba's
"string" functions instead of cracklib's original.
Don't use sprintf, use Samba's snprintf, etc.
[Q] What do you think is the best to do? I don't like #1.
#2 is possible, we'll probably endup with our own re-written
"fascist.c" .
Some "meat" now, not a big piece!
Added the following code in smbd/chgpassword.c ~ line 973 :
#ifdef CRACKLIB
if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH,
pdb_get_username(hnd), pdb_get_fullname(hnd))) {
DEBUG(0, ("Can't change password - "
"Cracklib returns: %s\n", msg));
return NT_STATUS_ACCESS_DENIED;
/* return NT_STATUS_PASSWORD_RESTRICTION; */
}
}
#endif
[Q] Do we want to be able to configure the dictionnary name
within the smb.conf (char *) or "hard-coded" in cracklib?
Perhaps we want to be able to specify multiple directories
(char **). npasswd uses "(char **)" (mutliple). I have
no preference.
As you probably all know, I'm no Windows protocol guru!
[Q] Is NT_STATUS_ACCESS_DENIED the right value to return
when "cracklib" "finds the password" in the dictionary?
[Q] Is it possible to send back a real message? It could
be "The specified password is invalid. Please choose
a password not based on a dictionnary word" or
"password not long enough - minimum X characters", etc.
When I change my password here @ work (with a Windows
backend domain controller), I can't take any of my
previous ~ 3 passwords. I do get an "understand" error
message. Is everything needed to send back a "good"
error message already in Samba? If so, how? if not,
well I might need to install a good sniffer and read
a few more documents to understand "windows protocol"
unless someone here already knows how to do this.
Any other comments are welcome.
Thank you *very much* - enjoy the weekend.
Pierre B.
More information about the samba-technical
mailing list