1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
|
<?xml version="1.0"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<article class="productsheet">
<title>cracklib utilities</title>
<articleinfo>
<abstract>
<para><application>cracklib2</application> is a library
containing a C function which may be used in a <ulink
url="/cgi-bin/man/man2html/passwd+1">passwd
(1)</ulink> like program. The idea is simple: try to prevent
users from choosing passwords that could be guessed by <ulink
url="http://www.crypticide.com/alecm/security/c50-faq.html"><application><filename>crack</filename></application></ulink>
by filtering them out, at
source. <application>cracklib2</application> is
<emphasis>not</emphasis> a replacement <ulink
url="/cgi-bin/man/man2html/passwd+1">passwd
(1)</ulink> program. <application>cracklib2</application> is a
<emphasis>library</emphasis>.</para>
<para><package>cracklib-runtime</package> contains run-time support programs which use the shared library in <package>libcrack2</package> including programs to build the password dictionary databases used by the functions in the shared library.</para>
</abstract>
<copyright>
<year>1998</year>
<year>1999</year>
<holder>Jean Pierre LeJacq</holder>
</copyright>
<copyright>
<year>2003</year>
<holder>Martin Pitt</holder>
</copyright>
<copyright>
<year>2008</year>
<holder>Jan Dittberner</holder>
</copyright>
<legalnotice>
<para>This package and this document is free software; you may
redistribute it and/or modify it under the terms of the GNU
General Public License version 2 as published by the Free
Software Foundation.</para>
<para>A copy of the GNU General Public License version 2 is
available as /usr/share/common-licenses/GPL-2 in the Debian
GNU/Linux distribution or on the World Wide Web at <ulink
url="http://www.gnu.org/copyleft/gpl.html">http://www.gnu.org/copyleft/gpl.html</ulink>. You
can also obtain it by writing to the Free Software Foundation,
Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
USA.</para>
</legalnotice>
<author>
<firstname>Jean Pierre</firstname>
<surname>LeJacq</surname>
<contrib>Original Debian packaging</contrib>
<email>jplejacq@quoininc.com</email>
</author>
<author>
<firstname>Martin</firstname>
<surname>Pitt</surname>
<contrib>Debian package maintainer before version 2.8.</contrib>
<email>mpitt@debian.org</email>
</author>
<author>
<firstname>Jan</firstname>
<surname>Dittberner</surname>
<contrib>Reformulation to DocBook XML, updated to reflect new
packaging and upstream version. Current Debian package
maintainer.</contrib>
<email>jandd@debian.org</email>
</author>
<pubdate>$Date: 2008-06-26 21:38:06 +0200 (Do, 26 Jun 2008) $</pubdate>
</articleinfo>
<section>
<title>Upstream <package>cracklib2</package> utilities.</title>
<section>
<title><package>cracklib2</package> dictionary utilities.</title>
<section id="s-cracklib-format">
<title>cracklib-format</title>
<para><application>cracklib-format</application> takes a list
of text files each containing a list of words, one per line,
It lowercases all words, removes control characters, and
sorts the lists. It outputs the cleaned up list to standard
output.
</para>
<para>For more information see the manual page of <ulink
url="/cgi-bin/man/man2html?cracklib-format+8"><application>cracklib-format</application></ulink>.</para>
</section>
<section id="s-cracklib-packer">
<title>cracklib-packer</title>
<para><application>cracklib-packer</application> reads from
standard input a list of sorted and cleaned words and creates
a database from the result.</para>
<para>For more information see the manual page of <ulink
url="/cgi-bin/man/man2html?cracklib-packer+8"><application>cracklib-packer</application></ulink>.</para>
</section>
<section>
<title>cracklib-unpacker</title>
<para><application>cracklib-unpacker</application> reads from
a database created by <link
linkend="s-cracklib-packer"><application>cracklib-packer</application></link>
and outputs on standard output the list of words that make up
the database.</para>
<para>For more information see the manual page of <ulink
url="/cgi-bin/man/man2html?cracklib-unpacker+8"><application>cracklib-unpacker</application></ulink>.</para>
</section>
<section>
<title>create-cracklib-dict</title>
<para><application>create-cracklib-dict</application> takes
one or more word list files as arguments and converts them
into cracklib dictionaries for use by password checking
programs. The results are placed in the default compiled-in
dictionary location (<xref
linkend="s-debian-dictionary-location" />).</para>
<para>If you wish to store the dictionary in a different
location, use the <link
linkend="s-cracklib-format">cracklib-format</link> and <link
linkend="s-cracklib-packer"><application>cracklib-packer</application></link>
commands directly.</para>
</section>
</section>
<section>
<title><package>cracklib2</package>'s test utility
<application>cracklib-check.</application></title>
<para><application>cracklib-check</application> takes a list of
passwords from stdin and checks them via libcrack2's <ulink
url="/cgi-bin/man/man2html/FascistCheck+3">FascistCheck</ulink>
sub routine.</para>
<para><application>cracklib-check</application> prints each
checked password and the corresponding result of <ulink
url="/cgi-bin/man/man2html/FascistCheck+3">FascistCheck</ulink>
to stdout. The password and the result are separated by a
colon.</para>
</section>
</section>
<section>
<title>Debian <package>cracklib2</package> utilities.</title>
<section>
<title>update-cracklib</title>
<para><application>update-cracklib</application> uses <link
linkend="s-cracklib-format"><application>cracklib-format</application></link>
and <link
linkend="s-cracklib-packer"><application>cracklib-packer</application></link>
to update the default cracklib dictionary it uses the word lists
configured in
<filename>/etc/cracklib/cracklib.conf</filename>.</para>
<para>For more information see the manual page of <ulink
url="/cgi-bin/man/man2html?update-cracklib+8"><application>cracklib-format</application></ulink>.</para>
</section>
</section>
<section>
<title>Debian dictionaries</title>
<para><application>cracklib2</application> uses a word database
that is in a binary format generated by the utilities <link
linkend="s-cracklib-format"><application>cracklib-format</application></link>
and <link
linkend="s-cracklib-packer"><application>cracklib-packer</application></link>. Three
files are created with the suffixes of .hwm, .pwd, and .pwi. These
files are not byte-order independent, in fact they are probably
architecture specific, mostly due to speed constraints.</para>
<section id="s-debian-dictionary-location">
<title>Database location for cracklib utilities.</title>
<para>All cracklib utilities can use a dictionary database
location specified as a command line argument. The utilities use
a default dictionary database if nothing else is specified. On a
Debian system the database is located in the directory
<filename>/var/cache/cracklib/cracklib_dict</filename> and is
generated daily with the program
<filename>/etc/cron.daily/cracklib</filename>.</para>
</section>
<section>
<title>Word lists for creating dictionary databases.</title>
<para><application>cracklib2</application> is only as good as the word dictionary database you create. Basically, you want to include any word that a malicious user could guess. It could include:
<itemizedlist>
<listitem>
<para>Names (including nicknames and user ids) of all users.</para>
</listitem>
<listitem>
<para>Names of pets, relatives, cars, ... of all users.</para>
</listitem>
<listitem>
<para>Computer, network, printer, ... names.</para>
</listitem>
<listitem>
<para>Insurance numbers, employee numbers, ... of users. *
...</para>
</listitem>
</itemizedlist>
</para>
<para>Debian provides a number of word lists that can be used as
sources for creating the cracklib2 dictionary database. The
package wenglish provides a standard ASCII word list that can be
directly used. The package ispell also supplies a large word
list but it is in binary format. I haven't figured out how to
decode this binary format so that the resulting word list can be
used by cracklib2.</para>
</section>
</section>
</article>
|
