--with-cracklib (phase 2)

Andrew Bartlett abartlet at samba.org
Fri Jan 17 21:39:01 GMT 2003


On Sat, 2003-01-18 at 08:20, Pierre Belanger wrote:
> Hi,
> 
> Here's what I've done so far:
> 
> - Added a simple API in cracklib for Samba, works great.
> - Sent an email to Alec Muffett, author of cracklib asking
>    him if he can add this new API that doesn't use
>    "getuid() & getpwuid()".
> - Sent an email to Chris Hoover, author of "npasswd" asking
>    him a few questions about his work and also if he could
>    add the new "API" in the npasswd's cracklib distribution.
> 
> Note: npasswd's cracklib is modified to do a much better
>        check (mangle). He added some code from "Crack"
>        which Alec never added in cracklib. npasswd's new
>        cracklib "API" does not use getuid / getpwuid which
>        is what we need but it doesn't check againts the
>        username & fullusername info. I think this is really
>        important.
> 
> Issues & questions:
> 
> - Will we ever see more work on cracklib, nothing changed
>    since 1997. We know we need to add an "API" that doesn't
>    use "getuid() / getpwuid()". If Alec and/or Chris don't
>    want to add an API that doesn't use the get{pw}uid(),
>    we can:
> 
>    1- Add a patch to cracklib in a "contrib" directory, link
>       Samba with "libcrack.a"
>    2- Commit an API in "Samba", still link with "libcrack.a"
>       for the rest of the functionnalities.
>    3- Commit a "samba-cracklib" in SAMBA_X_Y , i.e. fully
>       integrate samba-cracklib in Samba (no more
>       fprintf(stderr,...), etc), when possible use Samba's
>       "string" functions instead of cracklib's original.
>       Don't use sprintf, use Samba's snprintf, etc.

Yes, if cracklib using stdout/stderr as it stands, then we have no
choice but to either isolated it to a 'helper' program, or integrate it
into Samba.  I think I prefer integration.

> [Q] What do you think is the best to do? I don't like #1.
> #2 is possible, we'll probably endup with our own re-written
> "fascist.c" .

Assuming the license is compatible, then I think this is the best course
of action.

> Some "meat" now, not a big piece!
> 
> Added the following code in smbd/chgpassword.c ~ line 973 :
> 
>    #ifdef CRACKLIB
>      if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH,
>        pdb_get_username(hnd), pdb_get_fullname(hnd))) {
> 
>        DEBUG(0, ("Can't change password - "
>                  "Cracklib returns: %s\n", msg));
>        return NT_STATUS_ACCESS_DENIED;
>    /*    return NT_STATUS_PASSWORD_RESTRICTION; */
> 
>      }
> 
>    }
>    #endif
> 
> 
> [Q] Do we want to be able to configure the dictionnary name
>      within the smb.conf (char *) or "hard-coded" in cracklib?
>      Perhaps we want to be able to specify multiple directories
>      (char **). npasswd uses "(char **)" (mutliple). I have
>      no preference.

Given the number of platforms we run on, then configuring the dictionary
name would be 'a good idea'.  I don't see the need for multiple
dictionaries.

> As you probably all know, I'm no Windows protocol guru!
> 
> [Q] Is NT_STATUS_ACCESS_DENIED the right value to return
>      when "cracklib" "finds the password" in the dictionary?

No, we should match what NT returns.  You figure this out by grabbing 
CVS ethereal, and decoding the password change.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mschap/mschap/mschapsrvchangepassword.asp

Gives you a good idea what MS's internal functions do here - and this
maps quite well to the wire actually.

In this case NT_STATUS_PASSWORD_RESTRICTION would be a good choice.

> [Q] Is it possible to send back a real message? It could
>      be "The specified password is invalid. Please choose
>      a password not based on a dictionnary word" or
>      "password not long enough - minimum X characters", etc.

It's not possible, the protocol just doesn't have a place for it. :-(.

>      When I change my password here @ work (with a Windows
>      backend domain controller), I can't take any of my
>      previous ~ 3 passwords. I do get an "understand" error
>      message. Is everything needed to send back a "good"
>      error message already in Samba? If so, how? if not,
>      well I might need to install a good sniffer and read
>      a few more documents to understand "windows protocol"
>      unless someone here already knows how to do this.

I would like to see what it's doing - grab CVS ethereal and decode the
password change, see what goes where.

It's quite possible that the password restriction is being partially
enforced on the local machine.

Andrew Bartlett

> Any other comments are welcome.
> 
> Thank you *very much* - enjoy the weekend.
> 
> Pierre B.
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030117/6b97dde8/attachment.bin


More information about the samba-technical mailing list