Cracklib

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it (how to get started).
The information in this article is probably outdated. You can help the Gentoo community by verifying and updating this article.

CrackLib was a follow-up version of the libCrack password checking library and is licensed under the LGPL. With sys-libs/pam-1.4.0[1] it has been deprecated in favor of sys-auth/passwdqc. See PAM for current configuration.

Passwords policy

CrackLib

Add the cracklib USE flag to /etc/portage/make.conf and re-emerge world to update any package that include support for CrackLib:

root #emerge --changed-use @world

Verify these two packages are installed:

root #emerge --changed-use sys-libs/cracklib cracklib-words

Now create a database:

root #create-cracklib-dict /usr/share/dict/*

Unix password policy

SAMBA passwords policy

Using pdbedit

pdbedit is a tool that can be used only by root. It is used to manage the passdb backend, as well as domain-wide account policy settings. pdbedit can be used to:

  • Add, remove, or modify user accounts.
  • List user accounts.
  • Migrate user accounts.
  • Migrate group accounts.
  • Manage account policies.
  • Manage domain access policy settings.

Commands will be executed to establish controls for our domain as follows:

  1. Min password length = 8 characters.
  2. Password history = last 4 passwords.
  3. Maximum password age = 90 days.
  4. Minimum password age = 7 days.
  5. Bad lockout attempt = 8 bad log on attempts.
  6. Lockout duration = forever, account must be manually re-enabled.

The following command execution will achieve these settings:

root #pdbedit -P "min password length" -C 8
account policy value for min password length was 5
account policy value for min password length is now 8
root #pdbedit -P "password history" -C 4
account policy value for password history was 0
account policy value for password history is now 4
root #pdbedit -P "maximum password age" -C 7776000
account policy value for maximum password age was 4294967295
account policy value for maximum password age is now 7776000
root #pdbedit -P "minimum password age" -C 604800
account policy value for minimum password age was 0
account policy value for minimum password age is now 7
root #pdbedit -P "bad lockout attempt" -C 8
account policy value for bad lockout attempt was 0
account policy value for bad lockout attempt is now 8
root #pdbedit -P "lockout duration" -C -1
account policy value for lockout duration was 30
account policy value for lockout duration is now 4294967295

CrackCheck

Next crackcheck can be used to check complicity of passwords:

Unpack samba-*.tar.gz and cd to examples/auth/crackcheck. Then compile it:

user $make

Copy this to somewhere more sensible:

user $cp crackcheck /usr/local/sbin

Edit Samba's configuration file:

FILE /etc/samba/smb.confSamba's configuration
check password script = /usr/local/sbin/crackcheck -s -d /usr/lib/cracklib-dict

Reload samba configuration:

root #/etc/init.d/samba reload

External resources