--with-cracklib (phase 2)
Andrew Bartlett
abartlet at samba.org
Fri Jan 17 21:39:01 GMT 2003
On Sat, 2003-01-18 at 08:20, Pierre Belanger wrote:
> Hi,
>
> Here's what I've done so far:
>
> - Added a simple API in cracklib for Samba, works great.
> - Sent an email to Alec Muffett, author of cracklib asking
> him if he can add this new API that doesn't use
> "getuid() & getpwuid()".
> - Sent an email to Chris Hoover, author of "npasswd" asking
> him a few questions about his work and also if he could
> add the new "API" in the npasswd's cracklib distribution.
>
> Note: npasswd's cracklib is modified to do a much better
> check (mangle). He added some code from "Crack"
> which Alec never added in cracklib. npasswd's new
> cracklib "API" does not use getuid / getpwuid which
> is what we need but it doesn't check againts the
> username & fullusername info. I think this is really
> important.
>
> Issues & questions:
>
> - Will we ever see more work on cracklib, nothing changed
> since 1997. We know we need to add an "API" that doesn't
> use "getuid() / getpwuid()". If Alec and/or Chris don't
> want to add an API that doesn't use the get{pw}uid(),
> we can:
>
> 1- Add a patch to cracklib in a "contrib" directory, link
> Samba with "libcrack.a"
> 2- Commit an API in "Samba", still link with "libcrack.a"
> for the rest of the functionnalities.
> 3- Commit a "samba-cracklib" in SAMBA_X_Y , i.e. fully
> integrate samba-cracklib in Samba (no more
> fprintf(stderr,...), etc), when possible use Samba's
> "string" functions instead of cracklib's original.
> Don't use sprintf, use Samba's snprintf, etc.
Yes, if cracklib using stdout/stderr as it stands, then we have no
choice but to either isolated it to a 'helper' program, or integrate it
into Samba. I think I prefer integration.
> [Q] What do you think is the best to do? I don't like #1.
> #2 is possible, we'll probably endup with our own re-written
> "fascist.c" .
Assuming the license is compatible, then I think this is the best course
of action.
> Some "meat" now, not a big piece!
>
> Added the following code in smbd/chgpassword.c ~ line 973 :
>
> #ifdef CRACKLIB
> if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH,
> pdb_get_username(hnd), pdb_get_fullname(hnd))) {
>
> DEBUG(0, ("Can't change password - "
> "Cracklib returns: %s\n", msg));
> return NT_STATUS_ACCESS_DENIED;
> /* return NT_STATUS_PASSWORD_RESTRICTION; */
>
> }
>
> }
> #endif
>
>
> [Q] Do we want to be able to configure the dictionnary name
> within the smb.conf (char *) or "hard-coded" in cracklib?
> Perhaps we want to be able to specify multiple directories
> (char **). npasswd uses "(char **)" (mutliple). I have
> no preference.
Given the number of platforms we run on, then configuring the dictionary
name would be 'a good idea'. I don't see the need for multiple
dictionaries.
> As you probably all know, I'm no Windows protocol guru!
>
> [Q] Is NT_STATUS_ACCESS_DENIED the right value to return
> when "cracklib" "finds the password" in the dictionary?
No, we should match what NT returns. You figure this out by grabbing
CVS ethereal, and decoding the password change.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mschap/mschap/mschapsrvchangepassword.asp
Gives you a good idea what MS's internal functions do here - and this
maps quite well to the wire actually.
In this case NT_STATUS_PASSWORD_RESTRICTION would be a good choice.
> [Q] Is it possible to send back a real message? It could
> be "The specified password is invalid. Please choose
> a password not based on a dictionnary word" or
> "password not long enough - minimum X characters", etc.
It's not possible, the protocol just doesn't have a place for it. :-(.
> When I change my password here @ work (with a Windows
> backend domain controller), I can't take any of my
> previous ~ 3 passwords. I do get an "understand" error
> message. Is everything needed to send back a "good"
> error message already in Samba? If so, how? if not,
> well I might need to install a good sniffer and read
> a few more documents to understand "windows protocol"
> unless someone here already knows how to do this.
I would like to see what it's doing - grab CVS ethereal and decode the
password change, see what goes where.
It's quite possible that the password restriction is being partially
enforced on the local machine.
Andrew Bartlett
> Any other comments are welcome.
>
> Thank you *very much* - enjoy the weekend.
>
> Pierre B.
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030117/6b97dde8/attachment.bin
More information about the samba-technical
mailing list