Cracklib

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.
The information in this article is probably outdated. You can help the Gentoo community by verifying and updating this article.

CrackLib was a follow-up version of the libCrack password checking library and is licensed under the LGPL. With sys-libs/pam-1.4.0[1] it has been deprecated in favor of sys-auth/passwdqc. See PAM for current configuration.

Passwords policy

CrackLib

Add the cracklib USE flag to /etc/portage/make.conf and re-emerge world to update any package that include support for CrackLib:

root #emerge --changed-use @world

Verify these two packages are installed:

root #emerge --changed-use sys-libs/cracklib sys-apps/cracklib-words

Now create a database:

root #create-cracklib-dict /usr/share/dict/*

Unix password policy

SAMBA passwords policy

Using pdbedit

pdbedit is a tool that can be used only by root. It is used to manage the passdb backend, as well as domain-wide account policy settings. pdbedit can be used to:

  • Add, remove, or modify user accounts.
  • List user accounts.
  • Migrate user accounts.
  • Migrate group accounts.
  • Manage account policies.
  • Manage domain access policy settings.

Commands will be executed to establish controls for our domain as follows:

  1. Min password length = 8 characters.
  2. Password history = last 4 passwords.
  3. Maximum password age = 90 days.
  4. Minimum password age = 7 days.
  5. Bad lockout attempt = 8 bad log on attempts.
  6. Lockout duration = forever, account must be manually re-enabled.

The following command execution will achieve these settings:

root #pdbedit -P "min password length" -C 8
account policy value for min password length was 5
account policy value for min password length is now 8
root #pdbedit -P "password history" -C 4
account policy value for password history was 0
account policy value for password history is now 4
root #pdbedit -P "maximum password age" -C 7776000
account policy value for maximum password age was 4294967295
account policy value for maximum password age is now 7776000
root #pdbedit -P "minimum password age" -C 604800
account policy value for minimum password age was 0
account policy value for minimum password age is now 7
root #pdbedit -P "bad lockout attempt" -C 8
account policy value for bad lockout attempt was 0
account policy value for bad lockout attempt is now 8
root #pdbedit -P "lockout duration" -C -1
account policy value for lockout duration was 30
account policy value for lockout duration is now 4294967295

CrackCheck

Next crackcheck can be used to check complicity of passwords:

Unpack samba-*.tar.gz and cd to examples/auth/crackcheck. Then compile it:

user $make

Copy this to somewhere more sensible:

user $cp crackcheck /usr/local/sbin

Edit Samba's configuration file:

FILE /etc/samba/smb.confSamba's configuration
check password script = /usr/local/sbin/crackcheck -s -d /usr/lib/cracklib-dict

Reload samba configuration:

root #/etc/init.d/samba reload

External resources