--with-cracklib (phase 2)

Pierre Belanger pbelang1 at oss.cantel.rogers.com
Fri Jan 17 21:21:00 GMT 2003


Here's what I've done so far:

- Added a simple API in cracklib for Samba, works great.
- Sent an email to Alec Muffett, author of cracklib asking
   him if he can add this new API that doesn't use
   "getuid() & getpwuid()".
- Sent an email to Chris Hoover, author of "npasswd" asking
   him a few questions about his work and also if he could
   add the new "API" in the npasswd's cracklib distribution.

Note: npasswd's cracklib is modified to do a much better
       check (mangle). He added some code from "Crack"
       which Alec never added in cracklib. npasswd's new
       cracklib "API" does not use getuid / getpwuid which
       is what we need but it doesn't check againts the
       username & fullusername info. I think this is really

Issues & questions:

- Will we ever see more work on cracklib, nothing changed
   since 1997. We know we need to add an "API" that doesn't
   use "getuid() / getpwuid()". If Alec and/or Chris don't
   want to add an API that doesn't use the get{pw}uid(),
   we can:

   1- Add a patch to cracklib in a "contrib" directory, link
      Samba with "libcrack.a"
   2- Commit an API in "Samba", still link with "libcrack.a"
      for the rest of the functionnalities.
   3- Commit a "samba-cracklib" in SAMBA_X_Y , i.e. fully
      integrate samba-cracklib in Samba (no more
      fprintf(stderr,...), etc), when possible use Samba's
      "string" functions instead of cracklib's original.
      Don't use sprintf, use Samba's snprintf, etc.

[Q] What do you think is the best to do? I don't like #1.
#2 is possible, we'll probably endup with our own re-written
"fascist.c" .

Some "meat" now, not a big piece!

Added the following code in smbd/chgpassword.c ~ line 973 :

   #ifdef CRACKLIB
     if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH,
       pdb_get_username(hnd), pdb_get_fullname(hnd))) {

       DEBUG(0, ("Can't change password - "
                 "Cracklib returns: %s\n", msg));



[Q] Do we want to be able to configure the dictionnary name
     within the smb.conf (char *) or "hard-coded" in cracklib?
     Perhaps we want to be able to specify multiple directories
     (char **). npasswd uses "(char **)" (mutliple). I have
     no preference.

As you probably all know, I'm no Windows protocol guru!

[Q] Is NT_STATUS_ACCESS_DENIED the right value to return
     when "cracklib" "finds the password" in the dictionary?

[Q] Is it possible to send back a real message? It could
     be "The specified password is invalid. Please choose
     a password not based on a dictionnary word" or
     "password not long enough - minimum X characters", etc.

     When I change my password here @ work (with a Windows
     backend domain controller), I can't take any of my
     previous ~ 3 passwords. I do get an "understand" error
     message. Is everything needed to send back a "good"
     error message already in Samba? If so, how? if not,
     well I might need to install a good sniffer and read
     a few more documents to understand "windows protocol"
     unless someone here already knows how to do this.

Any other comments are welcome.

Thank you *very much* - enjoy the weekend.

Pierre B.

More information about the samba-technical mailing list