Slackware and cracklib

Welcome to Simone Giustetti's wiki pages.


Languages: English - Italiano


Introduction

In an earlier article I introduced cracklib a small library of C functions aimed to check password strength against a dictionary based attack. Cracklib-check, the command line tool performing the actual checks, was also presented in the article alongside some examples of its use. The tool is undoubtedly useful, but penalized by its design that favors its use by system administrators. Both library and check program are installed in folders dedicated to system administration that standard users cannot access directly and require recurring to the full path for each command. The check must be explicitly performed and that represents another risk factor. Nothing force users to check for password strength with cracklib therefore nothing really prevents setting a weak password even when the tool is installed and working correctly.

In this article I will discuss a way to integrate cracklib with the authentication subsystem of Slackware Linux in order to automate password checking, forcing users to use the tool and improving the intrinsic safety of the system.

Tie Cracklib to the Slackware Linux Authentication System

There are two basic ways to tie cracklib to the authentication system of a Linux distribution depending whether PAM is used or not. Slackware Linux does not include PAM packages among its official ones. This is a cautious choice by the group of developers of the distribution who do not consider the level of security guaranteed by PAM sufficiently high and therefore prefer to give up the flexibility offered by the tool modules favoring a system easier to run and configure.

To tie cracklib to the shadow password authentication system you'll have to rebuild the authentication package from source and install it replacing the standard one. For Slackware 14.2 the mentioned package is: shadow-4.2.1. Follow the next steps to enable cracklib:

  • Build and install a recent cracklib package following the instructions included in an earlier article.
  • Download the shadow password source code into a local directory for example /tmp or /usr/src/shadow-4.2.1. The source code and build script for every Slackware Linux included package are available in the source code DVD, slackware-14.2-source-dvd.iso for example, or in the on-line source directory tree. Both can be downloaded from the net following links in the Slackware download page. From the DVD root or the online file tree root directory, search for the source code in sub-directory source/a/shadow/. The Slackware 14.2 directory should contain:
  [ ]   adduser                             13-Sep-2012 23:27    16K      Details
  [ ]   doinst.sh.gz                        28-Jan-2010 01:29    290      Details
  [ ]   login.defs.gz                       13-Sep-2012 23:27    4.5K     Details
  [DIR] patches/                            17-May-2013 02:19    -      
  [ ]   shadow-4.2.1.tar.xz                 09-May-2014 21:05    1.5M     Details
  [ ]   shadow-4.2.1.tar.xz.sig             09-May-2014 21:05    828      Details
  [ ]   shadow.CVE-2005-4890.relax.diff.gz  14-Dec-2013 21:05    734      Details
  [ ]   shadow.SlackBuild                   02-Jul-2014 00:21    5.1K     Details
  [ ]   shadow.url                          02-Jul-2014 00:15    46       Details
  [ ]   slack-desc                          30-Apr-2002 23:51    1.0K     Details
  [ ]   useradd.gz
  • Download all of the files and sub-folders into the target directory of the local system then update the build script shadow.SlackBuild removing line:
   --without-libcrack \

to replace it with:

   --with-libcrack \

in order to enable cracklib feature support at compile time.

  • Build the package with command:
  root@system # sh ./shadow.SlackBuild

then wait for the script to finish. A copy of the package will be saved into directory /tmp.

  • Update the package overwriting the installed one:
  root@system # upgradepkg --reinstall /tmp/shadow-4.2.1-i486-1.txz

The --reinstall option is mandatory otherwise the package will be ignored as it is already part of the system:

  root@system # upgradepkg shadow-4.2.1-i486-1.txz 
  
  +==============================================================================
  | Skipping package shadow-4.2.1-i486-1 (already installed)
  +==============================================================================
  • After installing you must configure dictionaries and enable their use with passwd. Dictionary configuration was part of an earlier article. Instructions to replace the standard dictionary, containing several thousand words, with the extended one containing approximately 2 millions words are summarized below. All commands should be run by root as they write system files and touch system directories.
  root@system # create-cracklib-dict /usr/share/cracklib/*
  skipping line: 1
  warning: input out of order: 'ghabcdefghabcdefghabcdefghabcd' should not follow 'habcdefghabcdefghabcdefghabcde' (line 55371)
  warning: input out of order: 'fghabcdefghabcdefghabcdefghabc' should not follow 'ghabcdefghabcdefghabcdefghabcd' (line 55372)
  warning: input out of order: 'efghabcdefghabcdefghabcdefghab' should not follow 'fghabcdefghabcdefghabcdefghabc' (line 55373)
  warning: input out of order: 'fghabcdefghabcdefghabcdefghabc' should not follow 'ghabcdefghabcdefghabcdefghabcd' (line 55375)
  warning: input out of order: 'abcdefghi' should not follow 'fghabcdefghabcdefghabcdefghabc' (line 55376)
  1911522 1911521
  root@system # ls -la /usr/share/cracklib/
  total 28252
  drwxr-xr-x   2 root root     4096 Dec  9 18:46 .
  drwxr-xr-x 214 root root     4096 Dec  9 20:02 ..
  -rw-r--r--   1 root root 19163351 Dec  9 18:46 cracklib-large
  -rw-r--r--   1 root root   492822 Dec  9 18:46 cracklib-small
  -rw-r--r--   1 root root      360 Dec  9 18:46 cracklib.magic
  -rw-r--r--   1 root root     1024 Dec 13 00:13 pw_dict.hwm
  -rw-r--r--   1 root root  8771150 Dec 13 00:13 pw_dict.pwd
  -rw-r--r--   1 root root   477896 Dec 13 00:13 pw_dict.pwi

One dictionary consists of the 3 files named pw_dict while cracklib-large and cracklib-small are the source files read to write extended and standard dictionary respectively.

  • At last update the configuration file /etc/login.defs to enable passwd command to use cracklib checks. Add a line pointing to the dictionary to use in order to perform checks:
   CRACKLIB_DICTPATH   /usr/share/cracklib/pw_dict

Where /usr/share/cracklib is the path to the directory containing dictionaries while pw_dict is the common name shared by the 3 files that make up a dictionary. The /etc/login.defs file includes a default line of configuration that points to the wrong, usually not existing, file. Comment the line out:

   # If compiled with cracklib support, where are the dictionaries
   #CRACKLIB_DICTPATH   /var/cache/cracklib/cracklib_dict

Password checking will be enabled immediately after the configuration update:

  jil-big@system:~$ passwd
  Changing password for jil-big
  Old password: 
  Enter the new password (minimum of 5 characters)
  Please use a combination of upper and lower case letters and numbers.
  New password: 
  Bad password: it is based on a dictionary word.  Try again.
  New password: 
  Bad password: too simple.  Try again.
  New password: 
  Bad password: it is too simplistic/systematic.  Try again.
  New password: 
  Bad password: it is based on a dictionary word.  Try again.
  New password: 
  Bad password: too simple.  Try again.
  The password for jil-big is unchanged. 

Checks are performed while updating a password therefore affect all the passwords that are set for the first time or reset after installing cracklib, but does not automatically touch previously set ones. To force a check of all users authentication passwords you'll have to expire them forcing an user update. For example using command:

  passwd -e  <uset>

Enabling cracklib for passwd has a drawback presenting whenever the shadow password package needs an update. Obviously the updated packages provided by Slackware will not support the library and the system administrator will have to rebuild and update the package following the procedure described above. This additional task is required for every package update. However we are talking about a very remote eventuality as the programs included in shadow passwords are very mature and widely tested and bugs or security alerts requiring an update are rarely reported.


Conclusions

Cracklib is both an easy to use and performing tool very useful to improve the security of a Linux / UNIX PC or Server as it allows to check the strength of passwords and discard those too easy to guess. This article described in detail a procedure to integrate cracklib with the shadow password authentication system: the standard adopted by Slackware and many other Linux distributions. The integration of the two systems is recommended because it makes the tool available to all users, not just administrators, and makes the check against a dictionary mandatory. The control is performed automatically when updating a password and cannot be circumvented. In the last paragraph of the article I suggested an easy way to "age" the password of a user forcing her / him to update it and, consequently, to perform the check using cracklib.


For any feedback, questions, errors and such, please e-mail me at studiosg [at] giustetti [dot] net


External links





Languages: English - Italiano