--with-cracklib for Samba

David Lee t.d.lee at durham.ac.uk
Thu Jan 16 09:44:03 GMT 2003 

On Wed, 15 Jan 2003, Pierre Belanger wrote:

> Last night I did a "grep -i todo" in the source code, to see
> if I could contribute a little bit more ;-) I found the
> following:
> 
> smbd/chgpasswd.c:   /* TODO:  Add cracklib support here */
> 
> I started working on this last night (using SAMBA_3_0
> branch) and do have something working (the "configure.in",
> documentation, etc is not done yet). I had to make my own
> "API" to cracklib to make this work because the original API
> uses getuid() and getpwuid() to get the username and fullname
> (gecos). I also found a lot of places in the cracklib code
> that is really not "full-proof". So... in the search for
> a better solution:
> 
> Tonight, I checked the "cracklib" included in "npasswd".
> (I found a bug, it's also in the original cracklib!!!)
> There isn't a better "API", still uses getuid()/getpwuid().

I am now a couple of years out of touch with "cracklib" stuff, so check
what I say, don't necessarily believe it!

There is some actively maintained "cracklib" material in the "Linux-PAM" 
project: 
  http://sourceforge.net/projects/pam

My understanding is that "Linux-PAM" is used widely on various Linux
distributions (I have very little first-hand knowledge of Linux).  It also
(notwithstanding the name) aims to be compatible with other PAM-enabled
OSes (Solaris, HP, ...).  Indeed we have been running Linux-PAM's cracklib
in our Solaris PAM structure for a couple of years.  (It's so neat, it
doesn't require any maintenance attention, so I have now forgotten its
detail!)

So I would suggest exploring the possibilities that might be provided by
Linux-PAM.  Bear in mind, too, that Andrew Bartlett is doing much work
within Samba to rationalise and add modular flexibility to its
authentication subsystem, including cooperating with PAM (for those
systems that have it).

If I recall correctly it does require an external "cracklib" library.
But exploring this route might help with constructing a suitable, mutually
sympathetic API for Samba/crack (and possible PAM) interactions.


> Do I continue working on this or not?

Your ideas sound promising.  I'm simply suggesting exploring what
possibilities (if any) may exist with Linux-PAM's cracklib module and its
related things, and coordinating this work with Andrew Bartlett's work
withing Samba to achieve maximum mutual benefit to both projects
(Linux-PAM and Samba) and minimal risk of code-forking and fragmentation. 

Hope that helps.


-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :

More information about the samba-technical mailing list