cracklib2 - utilities

cracklib2 is a library containing a C function which may be used in a passwd like program. The idea is simple: try to prevent users from choosing passwords that could be guessed by crack by filtering them out, at source. cracklib2 is not a replacement passwd program. cracklib2 is a library.

cracklib-runtime contains run-time support programs which use the shared library in cracklib2 including programs to build the password dictionary databases used by the functions in the shared library.

Index

General documentation on cracklib2.
Debian cracklib2 utilities.
1. Debian cracklib2 dictionary utilities.
2. Debian cracklib2 test utilities.
Debian dictionaries.

Debian `cracklib2` utilities

Debian `cracklib2` dictionary utilities.

`crack_mkdict`

Synopsis

crack_mkdict file ...

Description

crack_mkdict takes a list of ASCII files each containing a list of words, one per line, It lowercases all words, removes control characters, and sorts the lists. It outputs the cleaned up list to standard output.

If you supply massive amounts of text to crack_mkdict you must have enough free space available for use by the sort command. If you do not have 20Mb free in /var/tmp (or whatever temporary area your sort command uses), have a look at the /usr/sbin/crack_mkdict program which is a sh program. You can usually tweak the sort command to use any large area of disk you desire, by use of the -T option. crack_mkdict has a hook for this.

`crack_packer`

Synopsis

crack_packer cracklib_dictpath

Description

crack_packer reads from standard input a list of sorted and cleaned words and creates a database in the directory and prefix given by the command line argument cracklib_dictpath. Three files are created with the suffixes of .hwm, .pwd, and .pwi. These three files are in the format that the FascistCheck subroutine, crack_unpacker, crack_testlib, crack_testnum, and crack_teststr utilities understand. The number of words read and written are printed on stdout.

`crack_unpacker`

Synopsis

crack_unpacker cracklib_dictpath

Description

crack_unpacker reads from the database in the directory and prefix given by the command line argument cracklib_dictpath and outputs on standard output the list of words that make up the database.

Debian `cracklib2` test utilities.

These are command line interactive utilities to test the installed cracklib dictionary. Each take one string or number per line. Enter ^C when done.

`crack_testlib`

Synopsis

crack_testlib

Description

crack_testlib tests if the input string will be accepted as a valid password by the installed cracklib2dictionary using the FascistCheck subroutine.

`crack_testnum`

Synopsis

crack_testnum

Description

crack_testnum tests if the input integer is an index to a word in the installed cracklib2 dictionary and returns the word if found.

`crack_teststr`

Synopsis

crack_testnum

Description

crack_teststr tests if the input string is in the installed cracklib2 dictionary and returns its index number if found.

Debian dictionaries

cracklib2 uses a word database that is in a binary format generated by the utilities crack_mkdict and crack_packer. Three files are created with the suffixes of .hwm, .pwd, and .pwi. These files are not byte-order independent, in fact they are probably architecture specific, mostly due to speed constraints.

Compiled database location for `cracklib` test utilities.

The dictionary test utilities have the location of the dictionary database hard-coded into them. On a Debian system the database is located in the directory /var/cache/cracklib/cracklib_dict and is generated daily with the program /etc/cron.daily/cracklib. The location is also defined in the header file crack.h using the constant CRACKLIB_DICTPATH None of the subroutines in the cracklib libraries have this location hard-coded into their implementations.

Word lists for creating dictionary databases.

cracklib2 is only as good as the word dictionary database you create. Basically, you want to include any word that a malicious user could guess. It could include:

Names (including nicknames and user ids) of all users.
Names of pets, relatives, cars, ... of all users.
Computer, network, printer, ... names.
Insurance numbers, employee numbers, ... of users.
...

Debian provides a number of word lists that can be used as sources for creating the cracklib2 dictionary database. The package wenglish provides a standard ASCII word list that can be directly used. The package ispell also supplies a large word list but it is in binary format. I haven't figured out how to decode this binary format so that the resulting word list can be used by cracklib2.