Add option to bypass CrackLib for longer passwords

Add a trapdoor length, after which cracklib doesn't function.  This is
done via a cracklib_maxlen option to krb5.conf. passwords of that length
or shorter are still vetted.  (0, the default, performs the cracklib
fascist check at any length.)

CrackLib was designed to work with passwords, when passwords were 5-8
characters long.  CrackLib makes working with passphrases difficult,
rejecting some good ones.  The SQLite dictionary can be seeded with
Engligh trigrams, providing a compensating control.  Ergo, CrackLib
shouldn't be vetting passphrases; we should leave that to SQLite.

diff --git a/plugin/general.c b/plugin/general.c
index c491ea01b9522742e2fd2afc0ff4f5cb587a4ccd..aeb43b9e70c12430c8058f41d262a70e41a9ed02 100644 (file)
--- a/plugin/general.c
+++ b/plugin/general.c
@@ -55,6 +55,9 @@ strength_init(krb5_context ctx, const char *dictionary,
     strength_config_boolean(ctx, "require_ascii_printable", &data->ascii);
     strength_config_boolean(ctx, "require_non_letter", &data->nonletter);
 
+    /* Get trapdoor length from krb5.conf. */
+    strength_config_number(ctx, "cracklib_maxlen", &data->cracklib_maxlen);
+
     /* Get complex character class restrictions from krb5.conf. */
     code = strength_config_classes(ctx, "require_classes", &data->rules);
     if (code != 0)
@@ -199,10 +202,15 @@ strength_check(krb5_context ctx UNUSED, krb5_pwqual_moddata data,
     if (code != 0)
         return code;
 
-    /* Check the password against CDB, CrackLib, and SQLite if configured. */
-    code = strength_check_cracklib(ctx, data, password);
-    if (code != 0)
+    if (data->cracklib_maxlen == 0 ||
+       ((long) strlen(password) <= data->cracklib_maxlen)) {
+
+      /* Check the password against CDB, CrackLib, and SQLite if configured. */
+      code = strength_check_cracklib(ctx, data, password);
+      if (code != 0)
         return code;
+    }
+
     code = strength_check_cdb(ctx, data, password);
     if (code != 0)
         return code;

diff --git a/plugin/internal.h b/plugin/internal.h
index 7e436636c293bc58c83b1615e275ca592bbc2276..fc0cf1467e8045302177b22c5dccb6d9c5e0d60b 100644 (file)
--- a/plugin/internal.h
+++ b/plugin/internal.h
@@ -90,6 +90,7 @@ struct krb5_pwqual_moddata_st {
     sqlite3_stmt *prefix_query; /* Query using the password prefix */
     sqlite3_stmt *suffix_query; /* Query using the reversed password suffix */
 #endif
+    long cracklib_maxlen;       /* Longer passwords skip cracklib */
 };
 
 BEGIN_DECLS