[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

src/usr.bin/passwd + cracklib

My first post to tech@ and a "request for commit":

Adding Alec Muffet's Cracklib to OpenBSD's passwd to prevent 
users from choosing weak passwords.

Default OpenBSD behavior:

$ passwd
Changing local password for caff.
Old password:
New password: Potatoes
Retype new password: Potatoes
$

/usr/bin/passwd with cracklib support added:

$ passwd
Changing local password for caff.
Old password:
New password: Potatoes
Please use a different password.
The one you have chosen is unsuitable because it is based on a dictionary word.
New password:

Cracklib is Artistic Licence, so I think this means it's okay to put in 
the tree.

Regards,
David "caff" Coppa <caff AT openbeer DOT it>

--- usr.bin/passwd/Makefile	Sat May 17 10:52:55 2003
+++ usr.bin/passwd/Makefile	Sat May 17 10:51:31 2003
@@ -7,7 +7,7 @@
 	pwd_check.c
 .PATH:  ${.CURDIR}/../../lib/libc/gen
 DPADD+= ${LIBRPCSVC} ${LIBUTIL}
-LDADD+= -lrpcsvc -lutil
+LDADD+= -lrpcsvc -lutil -lcrack
 CFLAGS+= -I${.CURDIR}
 
 .if (${YP:L} == "yes")
--- usr.bin/passwd/pwd_check.c	Sat Jun 29 00:28:17 2002
+++ usr.bin/passwd/pwd_check.c	Sat May 17 10:42:52 2003
@@ -46,6 +46,8 @@
 #include <util.h>
 #include <login_cap.h>
 
+#define CRACKLIB_DICTPATH "/var/cracklib/pw_dict"
+
 struct pattern {
 	char *match;
 	int flags;
@@ -85,7 +87,7 @@
 {
 	regex_t rgx;
 	int i, res, min_len;
-	char *cp, option[LINE_MAX];
+	char *cp, *cause, option[LINE_MAX];
 	int pipefds[2];
 
 	min_len = (int) login_getcapnum(lc, "minpasswordlen", 6, 6);
@@ -104,6 +106,14 @@
 			return (0);
 		}
 	}
+
+	#ifdef CRACKLIB_DICTPATH
+	if (cause = (char *) FascistCheck(password, CRACKLIB_DICTPATH)) {
+		printf("Please use a different password.\n");
+		printf("The one you have chosen is unsuitable because %s.\n", cause);
+		return (0);
+		}
+	#endif
 
 	/* Okay, now pass control to an external program */