--with-cracklib for Samba

Andrew Bartlett abartlet at samba.org
Thu Jan 16 10:43:01 GMT 2003 

On Thu, 2003-01-16 at 20:42, David Lee wrote:
> On Wed, 15 Jan 2003, Pierre Belanger wrote:
> 
> > Last night I did a "grep -i todo" in the source code, to see
> > if I could contribute a little bit more ;-) I found the
> > following:
> > 
> > smbd/chgpasswd.c:   /* TODO:  Add cracklib support here */
> > 
> > I started working on this last night (using SAMBA_3_0
> > branch) and do have something working (the "configure.in",
> > documentation, etc is not done yet). I had to make my own
> > "API" to cracklib to make this work because the original API
> > uses getuid() and getpwuid() to get the username and fullname
> > (gecos). I also found a lot of places in the cracklib code
> > that is really not "full-proof". So... in the search for
> > a better solution:
> > 
> > Tonight, I checked the "cracklib" included in "npasswd".
> > (I found a bug, it's also in the original cracklib!!!)
> > There isn't a better "API", still uses getuid()/getpwuid().
> 
> I am now a couple of years out of touch with "cracklib" stuff, so check
> what I say, don't necessarily believe it!
> 
> There is some actively maintained "cracklib" material in the "Linux-PAM" 
> project: 
>   http://sourceforge.net/projects/pam
> 
> My understanding is that "Linux-PAM" is used widely on various Linux
> distributions (I have very little first-hand knowledge of Linux).  It also
> (notwithstanding the name) aims to be compatible with other PAM-enabled
> OSes (Solaris, HP, ...).  Indeed we have been running Linux-PAM's cracklib
> in our Solaris PAM structure for a couple of years.  (It's so neat, it
> doesn't require any maintenance attention, so I have now forgotten its
> detail!)
> 
> So I would suggest exploring the possibilities that might be provided by
> Linux-PAM.  

Linux-PAM can't help us here - because we don't have the old password to
work with.  This means we have to do this as root, so the
modules-as-shipped will bypass the checks.

If we have to get some custom PAM configuration then we are better to
just bring it into smbd.

> Bear in mind, too, that Andrew Bartlett is doing much work
> within Samba to rationalise and add modular flexibility to its
> authentication subsystem, including cooperating with PAM (for those
> systems that have it).

Yes, I added the code that would allow this, and the TODO :-)

> If I recall correctly it does require an external "cracklib" library.
> But exploring this route might help with constructing a suitable, mutually
> sympathetic API for Samba/crack (and possible PAM) interactions.
> 
> 
> > Do I continue working on this or not?
> 
> Your ideas sound promising.  I'm simply suggesting exploring what
> possibilities (if any) may exist with Linux-PAM's cracklib module and its
> related things, and coordinating this work with Andrew Bartlett's work
> withing Samba to achieve maximum mutual benefit to both projects
> (Linux-PAM and Samba) and minimal risk of code-forking and fragmentation. 

Don't worry, there is no risk of that.  I'll be working closely on
this.  (It is on my todo list before term starts anyway - in fact,
thanks for reminding me about it :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030116/718d7bfd/attachment.bin

More information about the samba-technical mailing list