cracklib2 is a library containing a C function which may be
used in a passwd
like program. The idea is simple: try to prevent users from choosing
passwords that could be guessed by crack by filtering them out, at
source. cracklib2 is not a replacement passwd
program. cracklib2 is a library.
cracklib-runtime contains run-time support programs which use
the shared library in cracklib2 including
programs to build the password dictionary databases used by the functions
in the shared library.
crack_mkdict takes a list of ASCII files each containing a
list of words, one per line, It lowercases all words, removes control
characters, and sorts the lists. It outputs the cleaned up list to
standard output.
If you supply massive amounts of text to crack_mkdict you
must have enough free space available for use by the sort
command. If you do not have 20Mb free in /var/tmp (or
whatever temporary area your sort
command uses), have a look at the
/usr/sbin/crack_mkdict program which is a sh
program. You can usually tweak the sort
command to use any large area of disk you desire, by use of the
-T option. crack_mkdict has a hook for this.
crack_packer reads from standard input a list of sorted and
cleaned words and creates a database in the directory and prefix given by
the command line argument cracklib_dictpath.
Three files are created with the suffixes of .hwm, .pwd, and
.pwi. These three files are in the format that the FascistCheck
subroutine, crack_unpacker,
crack_testlib,
crack_testnum,
and crack_teststr
utilities understand. The number of words read and written are printed on
stdout.
crack_unpacker reads from the database in the directory and
prefix given by the command line argument
cracklib_dictpath and outputs on standard output
the list of words that make up the database.
cracklib2 uses a word database that is in a binary format
generated by the utilities crack_mkdict
and crack_packer.
Three files are created with the suffixes of .hwm, .pwd, and
.pwi. These files are not byte-order independent, in
fact they are probably architecture specific, mostly due to speed
constraints.
The dictionary test utilities have
the location of the dictionary database hard-coded into them. On a
Debian system the database is located in the directory
/var/cache/cracklib/cracklib_dict and is generated daily with the program
/etc/cron.daily/cracklib. The location is also defined in
the header file crack.h using the constant
CRACKLIB_DICTPATH None of the subroutines in the
cracklib libraries have this location hard-coded into their
implementations.
cracklib2 is only as good as the word dictionary database you
create. Basically, you want to include any word that a malicious user
could guess. It could include:
Names (including nicknames and user ids) of all users.
Names of pets, relatives, cars, ... of all users.
Computer, network, printer, ... names.
Insurance numbers, employee numbers, ... of users.
...
Debian provides a number of word lists that can be used as sources for
creating the cracklib2 dictionary database. The package wenglish
provides a standard ASCII word list that can be directly used. The
package ispell also
supplies a large word list but it is in binary format. I haven't
figured out how to decode this binary format so that the resulting word
list can be used by cracklib2.
I plan to add the word list that comes with crack when I package it.
Here is a site
that has dictionaries for a number of non English languages as well as
names.