password quality script aka --with-cracklib replacement

Pierre Belanger belanger at
Wed Feb 12 04:30:49 GMT 2003


Here's what I've come up for the "password quality script",
cracklib "replacement" after exchanging a few email and reading
what came up on the mailing list. Your comments are again very
welcome -- I've come up with this but if it's all wrong fell
free to "blast me" ;-) I had good fun doing it and if something
needs to be change, I'll be happy to change it! The code, the
documentation and an example script are ready. I even stepped
out of the code a few days came back and made a few more

1) cracklib

The idea to have cracklib (v2.7) directly linked in smbd was
abandon because it was adding support *only* for cracklib
and a few changes were required in cracklib's code. Cracklib
is under "artistic" license which is not compatible with GNU,

2) password quality script

What is it? I have my own comments at the end ...

 From the documentation I wrote (even if I'm French I think it's not
that bad!?!?!?):

           Full path to the script that  will  be  called  when  a
           request for change password is received. It will be run
           by smbd as non-ROOT.

           The script is responsible to accept or refuse  the  new
           password  based on its own rules. As an example, it can
           be a script refusing a weak password based  on  a  dic-
           tionary word.

           Samba back end communicates with the  password  quality
           program  by  writing data to its STDIN and reading data
           from its STDOUT.  Samba  writes  a  block  of  data  in
           "Field:value\n"  terminated by a ".\n" at the beginning
           of a new line.

           1) smbd to ---> Password quality script "STDIN"


           The above  fields  are  filled  with  their  respective
           value.   Once  smbd  writes  on the last line ".\n", it
           waits from the script its response and exit status.

           IMPORTANT NOTES: The "smbd-version-string" may  contain
           alpha  characters,  for  example:  2.2.8pre1. The "new-
           password" may have a leading or trailing  space  --  be
           carefull when parsing the data.

           2) Password quality script "STDOUT" to ---> smbd


           The "ntstatus-string" value  must  used  one  the  pre-
           defined NTSTATUS (nterr.h) values. In this context:

           NT_STATUS_OK # New password accepted

           NT_STATUS_ACCESS_DENIED # Error occured in the script

           NT_STATUS_PASSWORD_RESTRICTION # Too short,  weak, etc.

           The "result-string" value is used to  provide  informa-
           tion (debug info) to smbd. For examples:

                     Result:Password is based on dictionary word\n


                     Result:New password is accepted\n

           smbd will always return an error to the client and does
           not  change  the  current  password unless the NTStatus
           value is equal to "NT_STATUS_OK" and the exit status of
           the script equal to 0.

           Default: password quality script = <empty string>

           Example:      password      quality      script       =

Do you wonder why sending the "smbd-version-string"? Perhaps
in the future a new NTSTATUS will be added. The only way for the
external program to know if it can use the new value is by
knowing the version of Samba! There are other possible examples.

[Q] What do we do with the fullname? We don't care? What if it's not
available ('\0')? Do we write to the external program an empty string
like this  ->Fullname:\n<-  or we just don't send the fullname field
to the external program or perhaps something like "Fullname:Unknown\n"?
I think -- either we always send something (Unknown when it's empty)
or we just don't send it. I think it's less confusing for everyone
is we write in the documentation if fullname is not known, we write
"Unknown" (or empty or NULL!).

Let me know what you think and/or other ideas.

Thank you again,
Pierre B.

More information about the samba-technical mailing list