--with-cracklib for Samba

John H Terpstra jht at samba.org
Thu Jan 16 05:18:01 GMT 2003 

Pierre,

Sounds interesting. Please keep this going as there is a lot of interest
in forced secure password change process.

Strongly suggest getting the official sources updated, as you have already
suggested. There should be someone who might want to help get this into
the official code tree. Who knows, might even spawn a security update
cycle.

- John T.

On Wed, 15 Jan 2003, Pierre Belanger wrote:

> Hi all,
>
> Last night I did a "grep -i todo" in the source code, to see
> if I could contribute a little bit more ;-) I found the
> following:
>
> smbd/chgpasswd.c:   /* TODO:  Add cracklib support here */
>
> I started working on this last night (using SAMBA_3_0
> branch) and do have something working (the "configure.in",
> documentation, etc is not done yet). I had to make my own
> "API" to cracklib to make this work because the original API
> uses getuid() and getpwuid() to get the username and fullname
> (gecos). I also found a lot of places in the cracklib code
> that is really not "full-proof". So... in the search for
> a better solution:
>
> Tonight, I checked the "cracklib" included in "npasswd".
> (I found a bug, it's also in the original cracklib!!!)
> There isn't a better "API", still uses getuid()/getpwuid().
>
> If the original cracklib or npasswd's cracklib is a
> good idea for Samba, I'll contact the maintainer for both
> products and see if they agree to "update" their code with
> the new API and also update their download site(s). I have
> the feeling "cracklib original" is quite dead unless there
> is a new maintainer (found nothing on sourceforge /
> freshmeat) and might have better chances with the cracklib
> included in npasswd.
>
> Besides using cracklib for password changing, I thought
> of the following idea. Once "cracklib" is enable, have
> an attribute in smb.conf "force password change = yes".
> Then at logon if the password is found by cracklib, force
> the user to change their password right away. That's for
> Samba 3.0.1 ;-) unless I easily find how to do this!
> If you have other ideas let me know.
>
> Do I continue working on this or not?
>
> Best regards,
> Pierre B.
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba-technical mailing list