[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Doc changes for cracklib (to go with code changes)



I have made some changes to the cracklib module. I am not sure of
the correct format to provice the changes in, In the diffs below
the file.ship is from the shipment and the file with not extra
stuff is the changed file. I can move the files around and re-do
the diff if there is a better way.

This is the documentation changes, changes to the code is in another
message.


These changes are to enable the use of the cracklib with long
passwords as avaiable with md5. I use md5 and shadow on one of
the systems here and found that cracklib's requirment of at
least 1/2 of the chars different in the new password was getting
in my way. as well as the restruction on length not being 
long enought. See the comments in the code and the documentation.
In addtiion I added to the documentation for cracklib after I figured
out what the rules where.

----------------------cut here------------------------------------
*** doc/modules/pam_cracklib.sgml.ship	Thu Jul 31 14:44:02 1997
--- doc/modules/pam_cracklib.sgml	Thu Jul 31 14:44:44 1997
***************
*** 52,57 ****
--- 52,105 ----
  unix module -- see example and pam_pwdb write up for more
  information).
  
+ It first calls the crack_lib routine to check the password
+ and if crack likes the password then it does a set of strength
+ checks. these checks are:
+ <itemize>
+ 
+ <item> <tt/Palindrome/ -
+ 
+ Is the new password a palindrome of the old one.
+ 
+ <item> <tt/Case Change Only/ -
+ 
+ Is the new password the the old one with only a change of case.
+ 
+ 
+ <item> <tt/Similar/ -
+ 
+ Is the new password too much like the old one. This is controlled
+ by one argument, difok which is a number of bytes that if
+ different between the old and new are enough to accept the new
+ password, this defaults to 10 or 1/2 the size of the new password
+ whichever is smaller.
+ 
+ <item <tt/Simple/ -
+ 
+ Is the new password too small, this is controlled by 5 arguments
+ minlen, dcredit, ucredit, lcredit, and ocredit. See the section
+ on the arguments for the details of how these work and there 
+ defaults.
+ 
+ <item <tt/Rotated/ -
+ 
+ Is the new password a rotated version of the old password.
+ 
+ </itemize>
+ This module with no arguments will work well for standard unix
+ password encryption but has problems with md5 passwords if the
+ passwords are long because of a requirements that the new password
+ has no more than 1/2 of its bytes contained some-ware in the old
+ password, if a pass-phrase is used, for example but only for
+ example, "the quick brown fox jumped over the lazy dog" then
+ it will be very hard to find a new password that will pass
+ this test. In addition the default actions is to allow passwords
+ as small as 5 bytes long. For a md5 systems it is a good
+ idea to increase the required size of the password and to
+ allow more credit for different kinds of bytes but to accept
+ that the new password may have most of its bytes in the old
+ password. 
+ 
  <sect2>Password component
  
  <p>
***************
*** 59,65 ****
  
  <tag><bf>Recognized arguments:</bf></tag>
  
! <tt/debug/; <tt/type=XXX/; <tt/retry=N/
  
  <tag><bf>Description:</bf></tag>
  
--- 107,114 ----
  
  <tag><bf>Recognized arguments:</bf></tag>
  
! <tt/debug/; <tt/type=XXX/; <tt/retry=N/; <tt/difok=N/; <tt/minlen=N/;
! <tt/dcredit=N/; <tt/ucredit=N/; <tt/lcredit=N/; <tt/ocredit=N/;
  
  <tag><bf>Description:</bf></tag>
  
***************
*** 98,103 ****
--- 147,204 ----
  (for strength-checking) from the user is 1. Using this argument this
  can be increased to <tt/N/.
  
+ <item> <tt/difok=N/ -
+ 
+ This argument will change the default of 10 for the number of bytes
+ in the new password that must not be present in the old password. In
+ addition if 1/2 of the bytes in the new password are different then
+ the new password will be accepted anyway.
+ 
+ <item> <tt/minlen=N/ -
+ 
+ The base minimum site of the new password, in addition to the bytes
+ on the new password credit is given for each different kind of byte
+ (other, upper, lower and digit) therefor you want to give a number one
+ more than the minimum that you want unless you set all of the credits
+ to zero. The default for this is 9 which is good for a old style unix
+ password system but too low for a md5 systems. Note that there is a
+ pair of length limits in crack_lib itself, a "way too short" limit
+ of 4 which is hard coded in and a defined limit (6 on the source
+ that I have) that will be checked without reference to minlen. If you
+ want to allow passwords as short as 5 bytes you will either need to
+ not use this module or will need to re-compile the crack library.
+ 
+ <item> <tt/dcredit=N/ -
+ 
+ This is the maximum credit for having digits in the new password, if
+ you have less than or <tt/N/ digits each will count off the minimum
+ size the new password needs to be. The default for this is 1, a good
+ value for the <tt/minlen/ less than 10 or so.
+ 
+ <item> <tt/ucredit=N/ -
+ 
+ This is the maximum credit for having upper case letters in the new password, if
+ you have less than or <tt/N/ upper case letters each will count off the minimum
+ size the new password needs to be. The default for this is 1, a good
+ value for the <tt/minlen/ less than 10 or so.
+ 
+ 
+ <item> <tt/lcredit=N/ -
+ 
+ This is the maximum credit for having lower case letters in the new password, if
+ you have less than or <tt/N/ lower case letters each will count off the minimum
+ size the new password needs to be. The default for this is 1, a good
+ value for the <tt/minlen/ less than 10 or so.
+ 
+ 
+ <item> <tt/ocredit=N/ -
+ 
+ This is the maximum credit for having any other bytes in the new password, if
+ you have less than or <tt/N/ any other bytes each will count off the minimum
+ size the new password needs to be. The default for this is 1, a good
+ value for the <tt/minlen/ less than 10 or so.
+ 
+ 
  </itemize>
  
  <tag><bf>Examples/suggested usage:</bf></tag>
***************
*** 123,128 ****
--- 224,243 ----
  </verb>
  </tscreen>
  
+ <p>
+ Another example is for the condition where you want to use md5 
+ <tscreen>
+ <verb>
+ #
+ # These lines allow a md5 systems to support passwords of at least
+ # 14 bytes with extra credit of 2 for digits and 2 for others
+ # the new password must have at least three bytes that are not present
+ # in the old password
+ #
+ password   required     /lib/security/pam_cracklib.so difok=3 minlen=15 dcredit= 2 ocredit=2
+ password   required     /lib/security/pam_pwdb.so use_authtok nullok md5
+ </verb>
+ </tscreen>
  </descrip>
  
  <!--
----------------------cut here------------------------------------
-- 
Philip W. Dalrymple III <pwd@mdtsoft.com>
This article is a natural product.  The slight variations in spelling and
grammar enhance its individual character and beauty and in no way are to 
be considered flaws or defects.
+1 770 642 3001



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []