--with-cracklib for Samba

Andrew Bartlett abartlet at samba.org
Thu Jan 16 06:30:01 GMT 2003 

On Thu, 2003-01-16 at 16:17, John H Terpstra wrote:
> Pierre,
> 
> Sounds interesting. Please keep this going as there is a lot of interest
> in forced secure password change process.

I certainly agree, as the one who put the comment there in the first
place :-).  We already have 'min password age', 'must change time' and
'must change now' working.  

Password history is also worth supporting in Samba, but watch out that
you need a long password history and long 'mis password age' before it
actually works.  Even then, we get password1, password2, password3...
unless we store plaintext passwords on disk.

> Strongly suggest getting the official sources updated, as you have already
> suggested. There should be someone who might want to help get this into
> the official code tree. Who knows, might even spawn a security update
> cycle.
> 
> - John T.
> 
> On Wed, 15 Jan 2003, Pierre Belanger wrote:
> 
> > Hi all,
> >
> > Last night I did a "grep -i todo" in the source code, to see
> > if I could contribute a little bit more ;-) I found the
> > following:
> >
> > smbd/chgpasswd.c:   /* TODO:  Add cracklib support here */
> >
> > I started working on this last night (using SAMBA_3_0
> > branch) and do have something working (the "configure.in",
> > documentation, etc is not done yet). I had to make my own
> > "API" to cracklib to make this work because the original API
> > uses getuid() and getpwuid() to get the username and fullname
> > (gecos). I also found a lot of places in the cracklib code
> > that is really not "full-proof". So... in the search for
> > a better solution:
> >
> > Tonight, I checked the "cracklib" included in "npasswd".
> > (I found a bug, it's also in the original cracklib!!!)
> > There isn't a better "API", still uses getuid()/getpwuid().

Yes - that is a problem.  We could cope, and use a 'become_user()' kind
of thing, but it's not pretty (particularly as we move aways from a
direct posix base, to a more NT abstraction layer).  Heimdal kerberos
supports 'password quality checking' and their example cracklib checker
had such a patch, giving a slightly sane interface.  

So, while others have noticed, nobody has really got around to fixing
it.  Sounds like a good time to start.

> > If the original cracklib or npasswd's cracklib is a
> > good idea for Samba, I'll contact the maintainer for both
> > products and see if they agree to "update" their code with
> > the new API and also update their download site(s). I have
> > the feeling "cracklib original" is quite dead unless there
> > is a new maintainer (found nothing on sourceforge /
> > freshmeat) and might have better chances with the cracklib
> > included in npasswd.
> >
> > Besides using cracklib for password changing, I thought
> > of the following idea. Once "cracklib" is enable, have
> > an attribute in smb.conf "force password change = yes".
> > Then at logon if the password is found by cracklib, force
> > the user to change their password right away. That's for
> > Samba 3.0.1 ;-) unless I easily find how to do this!
> > If you have other ideas let me know.

The problem here is that Samba doesn't have the plaintext password very
often - the password change is one of the few places, the rest of the
time we use challenge/response systems.

But running one of l0phtcrak's products (or similar) over the smbpasswd
file will certainly find the dictionary passwords pretty quickly.  You
can disable them manually from there.

> > Do I continue working on this or not?

Most certainly.

In the meantime, I would not object to such code being added directly to
Samba, or this being added to our plugin system - but I'll take comment
from the rest of the team on this.

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030116/9552e1ba/attachment.bin

More information about the samba-technical mailing list