Add option to bypass CrackLib for longer passwords

[kerberos/krb5-strength.git] / plugin / general.c

diff --git a/plugin/general.c b/plugin/general.c
index c491ea01b9522742e2fd2afc0ff4f5cb587a4ccd..aeb43b9e70c12430c8058f41d262a70e41a9ed02 100644 (file)
--- a/plugin/general.c
+++ b/plugin/general.c
@@ -55,6 +55,9 @@ strength_init(krb5_context ctx, const char *dictionary,
     strength_config_boolean(ctx, "require_ascii_printable", &data->ascii);
     strength_config_boolean(ctx, "require_non_letter", &data->nonletter);
 
+    /* Get trapdoor length from krb5.conf. */
+    strength_config_number(ctx, "cracklib_maxlen", &data->cracklib_maxlen);
+
     /* Get complex character class restrictions from krb5.conf. */
     code = strength_config_classes(ctx, "require_classes", &data->rules);
     if (code != 0)
@@ -199,10 +202,15 @@ strength_check(krb5_context ctx UNUSED, krb5_pwqual_moddata data,
     if (code != 0)
         return code;
 
-    /* Check the password against CDB, CrackLib, and SQLite if configured. */
-    code = strength_check_cracklib(ctx, data, password);
-    if (code != 0)
+    if (data->cracklib_maxlen == 0 ||
+       ((long) strlen(password) <= data->cracklib_maxlen)) {
+
+      /* Check the password against CDB, CrackLib, and SQLite if configured. */
+      code = strength_check_cracklib(ctx, data, password);
+      if (code != 0)
         return code;
+    }
+
     code = strength_check_cdb(ctx, data, password);
     if (code != 0)
         return code;