Copyright © 1998, 1999 Jean Pierre LeJacq
Copyright © 2003 Martin Pitt
Copyright © 2008 Jan Dittberner
This package and this document is free software; you may redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation.
A copy of the GNU General Public License version 2 is available as /usr/share/common-licenses/GPL-2 in the Debian GNU/Linux distribution or on the World Wide Web at http://www.gnu.org/copyleft/gpl.html. You can also obtain it by writing to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
$Date: 2008-06-26 21:38:06 +0200 (Do, 26 Jun 2008) $
Abstract
cracklib2 is a library
containing a C function which may be used in a passwd
(1) like program. The idea is simple: try to prevent
users from choosing passwords that could be guessed by crack
by filtering them out, at
source. cracklib2 is
not a replacement passwd
(1) program. cracklib2 is a
library.
cracklib-runtime contains run-time support programs which use the shared library in libcrack2 including programs to build the password dictionary databases used by the functions in the shared library.
Table of Contents
cracklib-format takes a list of text files each containing a list of words, one per line, It lowercases all words, removes control charac‐ters, and sorts the lists. It outputs the cleaned up list to standard output.
For more information see the manual page of cracklib-format.
cracklib-packer reads from standard input a list of sorted and cleaned words and creates a database from the result.
For more information see the manual page of cracklib-packer.
cracklib-unpacker reads from a database created by cracklib-packer and outputs on standard output the list of words that make up the database.
For more information see the manual page of cracklib-unpacker.
create-cracklib-dict takes one or more word list files as arguments and converts them into cracklib dictionaries for use by password checking programs. The results are placed in the default compiled-in dictionary location (the section called “Database location for cracklib utilities.”).
If you wish to store the dictionary in a different location, use the cracklib-format and cracklib-packer commands directly.
cracklib-check takes a list of passwords from stdin and checks them via libcrack2’s FascistCheck sub routine.
cracklib-check prints each checked password and the corresponding result of FascistCheck to stdout. The password and the result are separated by a colon.
update-cracklib uses cracklib-format
and cracklib-packer
to update the default cracklib dictionary it uses the word lists
configured in
/etc/cracklib/cracklib.conf.
For more information see the manual page of cracklib-format.
cracklib2 uses a word database that is in a binary format generated by the utilities cracklib-format and cracklib-packer. Three files are created with the suffixes of .hwm, .pwd, and .pwi. These files are not byte-order independent, in fact they are probably architecture specific, mostly due to speed constraints.
All cracklib utilities can use a dictionary database
location specified as a command line argument. The utilities use
a default dictionary database if nothing else is specified. On a
Debian system the database is located in the directory
/var/cache/cracklib/cracklib_dict and is
generated daily with the program
/etc/cron.daily/cracklib.
cracklib2 is only as good as the word dictionary database you create. Basically, you want to include any word that a malicious user could guess. It could include:
Names (including nicknames and user ids) of all users.
Names of pets, relatives, cars, ... of all users.
Computer, network, printer, ... names.
Insurance numbers, employee numbers, ... of users. * ...
Debian provides a number of word lists that can be used as sources for creating the cracklib2 dictionary database. The package wenglish provides a standard ASCII word list that can be directly used. The package ispell also supplies a large word list but it is in binary format. I haven't figured out how to decode this binary format so that the resulting word list can be used by cracklib2.