From 0f8d4b669710edea08fd5da37cd1af443d6384d8 Mon Sep 17 00:00:00 2001 From: Jorj Bauer Date: Sun, 6 Nov 2016 15:08:57 -0800 Subject: [PATCH] Add option to bypass CrackLib for longer passwords Add a trapdoor length, after which cracklib doesn't function. This is done via a cracklib_maxlen option to krb5.conf. passwords of that length or shorter are still vetted. (0, the default, performs the cracklib fascist check at any length.) CrackLib was designed to work with passwords, when passwords were 5-8 characters long. CrackLib makes working with passphrases difficult, rejecting some good ones. The SQLite dictionary can be seeded with Engligh trigrams, providing a compensating control. Ergo, CrackLib shouldn't be vetting passphrases; we should leave that to SQLite. --- plugin/general.c | 14 +++++++++++--- plugin/internal.h | 1 + 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/plugin/general.c b/plugin/general.c index c491ea0..aeb43b9 100644 --- a/plugin/general.c +++ b/plugin/general.c @@ -55,6 +55,9 @@ strength_init(krb5_context ctx, const char *dictionary, strength_config_boolean(ctx, "require_ascii_printable", &data->ascii); strength_config_boolean(ctx, "require_non_letter", &data->nonletter); + /* Get trapdoor length from krb5.conf. */ + strength_config_number(ctx, "cracklib_maxlen", &data->cracklib_maxlen); + /* Get complex character class restrictions from krb5.conf. */ code = strength_config_classes(ctx, "require_classes", &data->rules); if (code != 0) @@ -199,10 +202,15 @@ strength_check(krb5_context ctx UNUSED, krb5_pwqual_moddata data, if (code != 0) return code; - /* Check the password against CDB, CrackLib, and SQLite if configured. */ - code = strength_check_cracklib(ctx, data, password); - if (code != 0) + if (data->cracklib_maxlen == 0 || + ((long) strlen(password) <= data->cracklib_maxlen)) { + + /* Check the password against CDB, CrackLib, and SQLite if configured. */ + code = strength_check_cracklib(ctx, data, password); + if (code != 0) return code; + } + code = strength_check_cdb(ctx, data, password); if (code != 0) return code; diff --git a/plugin/internal.h b/plugin/internal.h index 7e43663..fc0cf14 100644 --- a/plugin/internal.h +++ b/plugin/internal.h @@ -90,6 +90,7 @@ struct krb5_pwqual_moddata_st { sqlite3_stmt *prefix_query; /* Query using the password prefix */ sqlite3_stmt *suffix_query; /* Query using the reversed password suffix */ #endif + long cracklib_maxlen; /* Longer passwords skip cracklib */ }; BEGIN_DECLS -- 2.39.2