cracklib2 is a library containing a C function which may be
used in a passwd
like program. The idea is simple: try to prevent users from choosing
passwords that could be guessed by crack by filtering them
out, at
source. cracklib2 is not a replacement passwd
program. cracklib2 is a library.
cracklib2-dev contains the header files, static libraries,
documentation, and symbolic links developers using cracklib2
will need.
cracklib2.
cracklib2 with Debian.
cracklib2
man page.
cracklib2.
cracklib2 with
Debian
In Debian the binary packages login and passwd
(both part of the source package shadow) and pam have
some support for cracklib2. I've successfully built the shadow source package
with cracklib2 support.
To use cracklib2 with the shadow package, you'll
need to download the source package and rebuild the package on your
machine. You'll obviously need the development environment.
Fortunately, no changes in the source code or Debian modifications need
to be made since the autoconf
programs will automatically detect that cracklib2 is
installed. The only requirement is that cracklib2 must be
installed prior to rebuilding shadow.
After installing the rebuilt resulting binary packages, you'll need to
modify the file /etc/login.defs.
Set the entry for CRACKLIB_DICTPATH to the location of the
cracklib2 dictionary database. This would normally be
/var/cache/cracklib/cracklib_dict.
Next, you'll need to define what word list should be used to construct
the /var/cache/cracklib/cracklib_dict database. Do this by adding
additional entries in /etc/cracklib/cracklib.conf.
Finally, you'll need the utilities from the cracklib-runtime to
build the dictionary
databases that are needed by the shadow package that
you built earlier.
That's it! Now every time a user changes or initially sets their
password, it will be checked against the cracklib2 database.
The Debian pam source
packages has the pam_cracklib
pluggable module that supports cracklib2. Unfortunately, I
haven't investigated if it works or the steps required.