summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
2d17a4a)
Add a trapdoor length, after which cracklib doesn't function. This is
done via a cracklib_maxlen option to krb5.conf. passwords of that length
or shorter are still vetted. (0, the default, performs the cracklib
fascist check at any length.)
CrackLib was designed to work with passwords, when passwords were 5-8
characters long. CrackLib makes working with passphrases difficult,
rejecting some good ones. The SQLite dictionary can be seeded with
Engligh trigrams, providing a compensating control. Ergo, CrackLib
shouldn't be vetting passphrases; we should leave that to SQLite.
strength_config_boolean(ctx, "require_ascii_printable", &data->ascii);
strength_config_boolean(ctx, "require_non_letter", &data->nonletter);
strength_config_boolean(ctx, "require_ascii_printable", &data->ascii);
strength_config_boolean(ctx, "require_non_letter", &data->nonletter);
+ /* Get trapdoor length from krb5.conf. */
+ strength_config_number(ctx, "cracklib_maxlen", &data->cracklib_maxlen);
+
/* Get complex character class restrictions from krb5.conf. */
code = strength_config_classes(ctx, "require_classes", &data->rules);
if (code != 0)
/* Get complex character class restrictions from krb5.conf. */
code = strength_config_classes(ctx, "require_classes", &data->rules);
if (code != 0)
if (code != 0)
return code;
if (code != 0)
return code;
- /* Check the password against CDB, CrackLib, and SQLite if configured. */
- code = strength_check_cracklib(ctx, data, password);
- if (code != 0)
+ if (data->cracklib_maxlen == 0 ||
+ ((long) strlen(password) <= data->cracklib_maxlen)) {
+
+ /* Check the password against CDB, CrackLib, and SQLite if configured. */
+ code = strength_check_cracklib(ctx, data, password);
+ if (code != 0)
code = strength_check_cdb(ctx, data, password);
if (code != 0)
return code;
code = strength_check_cdb(ctx, data, password);
if (code != 0)
return code;
sqlite3_stmt *prefix_query; /* Query using the password prefix */
sqlite3_stmt *suffix_query; /* Query using the reversed password suffix */
#endif
sqlite3_stmt *prefix_query; /* Query using the password prefix */
sqlite3_stmt *suffix_query; /* Query using the reversed password suffix */
#endif
+ long cracklib_maxlen; /* Longer passwords skip cracklib */