password quality script aka --with-cracklib replacement
Pierre Belanger
belanger at pobox.com
Wed Feb 12 04:30:49 GMT 2003
Hi,
Here's what I've come up for the "password quality script",
cracklib "replacement" after exchanging a few email and reading
what came up on the mailing list. Your comments are again very
welcome -- I've come up with this but if it's all wrong fell
free to "blast me" ;-) I had good fun doing it and if something
needs to be change, I'll be happy to change it! The code, the
documentation and an example script are ready. I even stepped
out of the code a few days came back and made a few more
changes.
1) cracklib
The idea to have cracklib (v2.7) directly linked in smbd was
abandon because it was adding support *only* for cracklib
and a few changes were required in cracklib's code. Cracklib
is under "artistic" license which is not compatible with GNU,
etc.
2) password quality script
What is it? I have my own comments at the end ...
From the documentation I wrote (even if I'm French I think it's not
that bad!?!?!?):
Full path to the script that will be called when a
request for change password is received. It will be run
by smbd as non-ROOT.
The script is responsible to accept or refuse the new
password based on its own rules. As an example, it can
be a script refusing a weak password based on a dic-
tionary word.
Samba back end communicates with the password quality
program by writing data to its STDIN and reading data
from its STDOUT. Samba writes a block of data in
"Field:value\n" terminated by a ".\n" at the beginning
of a new line.
1) smbd to ---> Password quality script "STDIN"
Version:smbd-version-string\n
Username:username\n
Fullname:fullname\n
Password:new-password\n
.\n
The above fields are filled with their respective
value. Once smbd writes on the last line ".\n", it
waits from the script its response and exit status.
IMPORTANT NOTES: The "smbd-version-string" may contain
alpha characters, for example: 2.2.8pre1. The "new-
password" may have a leading or trailing space -- be
carefull when parsing the data.
2) Password quality script "STDOUT" to ---> smbd
NTStatus:ntstatus-string\n
Result:result-string\n
.\n
The "ntstatus-string" value must used one the pre-
defined NTSTATUS (nterr.h) values. In this context:
NT_STATUS_OK # New password accepted
NT_STATUS_ACCESS_DENIED # Error occured in the script
NT_STATUS_PASSWORD_RESTRICTION # Too short, weak, etc.
The "result-string" value is used to provide informa-
tion (debug info) to smbd. For examples:
NTStatus:NT_STATUS_PASSWORD_RESTRICTION\n
Result:Password is based on dictionary word\n
or
NTStatus:NT_STATUS_OK\n
Result:New password is accepted\n
smbd will always return an error to the client and does
not change the current password unless the NTStatus
value is equal to "NT_STATUS_OK" and the exit status of
the script equal to 0.
Default: password quality script = <empty string>
Example: password quality script =
/usr/local/samba/sbin/password-quality.pl
Do you wonder why sending the "smbd-version-string"? Perhaps
in the future a new NTSTATUS will be added. The only way for the
external program to know if it can use the new value is by
knowing the version of Samba! There are other possible examples.
[Q] What do we do with the fullname? We don't care? What if it's not
available ('\0')? Do we write to the external program an empty string
like this ->Fullname:\n<- or we just don't send the fullname field
to the external program or perhaps something like "Fullname:Unknown\n"?
I think -- either we always send something (Unknown when it's empty)
or we just don't send it. I think it's less confusing for everyone
is we write in the documentation if fullname is not known, we write
"Unknown" (or empty or NULL!).
Let me know what you think and/or other ideas.
Thank you again,
Pierre B.
More information about the samba-technical
mailing list