source: postlfs/security/cracklib.xml@ 0aeb696

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
   "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

    <!-- Inserted as a reminder to do this. The mention of a test suite
         is usually right before the root user installation commands. Please
         delete these 12 (including one blank) lines after you are done.-->

    <!-- Use one of the two mentions below about a test suite,
         delete the line that is not applicable. Of course, if the
         test suite uses syntax other than "make check", revise the
         line to reflect the actual syntax to run the test suite -->

    <!-- <para>This package does not come with a test suite.</para> -->
    <!-- <para>To test the results, issue: <command>make check</command>.</para> -->

  <!ENTITY cracklib-download-http "http://prdownloads.sourceforge.net/cracklib/cracklib-&cracklib-version;.tar.gz">
  <!ENTITY cracklib-download-ftp  " ">
  <!ENTITY cracklib-http-md5sum   "9a8c9eb26b48787c84024ac779f64bb2">
  <!ENTITY cracklib-size          "575 KB">
  <!ENTITY cracklib-buildsize     "29.2 MB (without Python bindings)">
  <!ENTITY cracklib-time          "0.1 SBU">
  <!ENTITY crackdict-download     "http://prdownloads.sourceforge.net/cracklib/cracklib-words.gz">
  <!ENTITY crackdict-size         "4.4 MB">
  <!ENTITY crackdict-md5sum       "d18e670e5df560a8745e1b4dede8f84f">
]>

<sect1 id="cracklib" xreflabel="CrackLib-&cracklib-version;">
  <?dbhtml filename="cracklib.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
    <keywordset>
      <keyword role="package">cracklib-&cracklib-version;.tar</keyword>
      <keyword role="ftpdir">cracklib</keyword>
    </keywordset>
  </sect1info>

  <title>CrackLib-&cracklib-version;</title>

  <indexterm zone="cracklib">
    <primary sortas="a-CrackLib">CrackLib</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to CrackLib</title>

    <para>The <application>CrackLib</application> package contains a
    library used to enforce strong passwords by comparing user selected
    passwords to words in chosen word lists.</para>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&cracklib-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&cracklib-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &cracklib-http-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &cracklib-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &cracklib-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &cracklib-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing='compact'>
      <listitem>
        <para>Recommended word list for English-speaking countries (size:
        &crackdict-size;; md5sum: &crackdict-md5sum;):
        <ulink url="&crackdict-download;"/></para>
      </listitem>
      <listitem>
        <para>Required patch to create a library used with the Heimdal
        Kerberos 5 package: <ulink
        url="&patch-root;/cracklib-&cracklib-version;-heimdal-1.patch"/></para>
      </listitem>
    </itemizedlist>

    <para>There are additional word lists available for download, e.g., from
    <ulink url="http://www.cotse.com/tools/wordlists.htm"/>.
    <application>CrackLib</application> can utilize as many, or as few word
    lists you choose to install.</para>

    <important>
      <para>Users tend to base their passwords on regular words of the spoken
      language, and crackers know that. <application>CrackLib</application> is
      intended to filter out such bad passwords at the source using a
      dictionary created from word lists. To accomplish this, the word list(s)
      for use with <application>CrackLib</application> must be an exhaustive
      list of words and word-based keystroke combinations likely to be chosen
      by users of the system as (guessable) passwords.</para>

      <para>The default word list recommended above for downloading mostly
      satisfies this role in English-speaking countries. In other situations,
      it may be necessary to download (or even create) additional word
      lists.</para>

      <para>Note that word lists suitable for spell-checking are not usable
      as <application>CrackLib</application> word lists in countries with
      non-Latin based alphabets, because of <quote>word-based keystroke
      combinations</quote> that make bad passwords.</para>
    </important>

    <bridgehead renderas="sect3">CrackLib Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional"><xref linkend="python"/></para>

    <para condition="html" role="usernotes">User Notes:
    <ulink url="&blfs-wiki;/cracklib"/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of CrackLib</title>

    <para>If desired, apply the <application>Heimdal</application> patch
    (note that with this patch the original library is not affected; this patch
    only creates an additional library used by the
    <application>Heimdal</application> password-checking routines):</para>

<screen><userinput>patch -Np1 -i ../cracklib-&cracklib-version;-heimdal-1.patch</userinput></screen>

    <para>Install <application>CrackLib</application> by running the following
    commands:</para>

<screen><userinput>./configure --prefix=/usr \
            --with-default-dict=/lib/cracklib/pw_dict &amp;&amp;
make</userinput></screen>

    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install &amp;&amp;
mv -v /usr/lib/libcrack.so.2* /lib &amp;&amp;
ln -v -sf ../../lib/libcrack.so.2.8.0 /usr/lib/libcrack.so</userinput></screen>

    <para>Issue the following commands as the
    <systemitem class="username">root</systemitem> user to install the
    recommended word list and create the <application>CrackLib</application>
    dictionary. Other word lists (text based, one word per line) can also be
    used by simply installing them into
    <filename class='directory'>/usr/share/dict</filename> and adding them
    to the <command>create-cracklib-dict</command> command.</para>

<screen role="root"><userinput>install -v -m644 -D ../cracklib-words.gz \
    /usr/share/dict/cracklib-words.gz &amp;&amp;
gunzip -v /usr/share/dict/cracklib-words.gz &amp;&amp;
ln -v -s cracklib-words /usr/share/dict/words &amp;&amp;
echo $(hostname) >>/usr/share/dict/cracklib-extra-words &amp;&amp;
install -v -m755 -d /lib/cracklib &amp;&amp;
create-cracklib-dict /usr/share/dict/cracklib-words \
                     /usr/share/dict/cracklib-extra-words</userinput></screen>

    <para>If desired, check the proper operation of the library as an
    unprivileged user using the tests included with the package:</para>

<screen><userinput>make test</userinput></screen>

    <important>
      <para>If you are installing <application>CrackLib</application> after
      your LFS system has been completed and you have the
      <application>Shadow</application> package installed, you must
      reinstall <xref linkend="shadow"/> if you wish to provide strong
      password support on your system. If you are now going to install the
      <xref linkend="linux-pam"/> package, you may disregard this note as
      <application>Shadow</application> will be reinstalled after the
      <application>Linux-PAM</application> installation.</para>
    </important>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><parameter>--with-default-dict=/lib/cracklib/pw_dict</parameter>:
    This parameter forces the installation of the
    <application>CrackLib</application> dictionary to the
    <filename class='directory'>/lib</filename> hierarchy.</para>

    <para><command>mv -v /usr/lib/libcrack.so.2* /lib</command> and
    <command>ln -v -sf ../../lib/libcrack.so.2.8.0 ...</command>: These two
    commands move the <filename class='libraryfile'>libcrack.so.2.8.0</filename>
    library and associated symlink from
    <filename class='directory'>/usr/lib</filename> to
    <filename class='directory'>/lib</filename>, then recreates the
    <filename class='symlink'>/usr/lib/libcrack.so</filename> symlink pointing
    to the relocated file.</para>

    <para><command>install -v -m644 -D ...</command>: This command creates the
    <filename class='directory'>/usr/share/dict</filename> directory (if it
    doesn't already exist) and installs the compressed word list there.</para>

    <para><command>ln -v -s cracklib-words /usr/share/dict/words</command>: The
    word list is linked to <filename>/usr/share/dict/words</filename> as
    historically, <filename>words</filename> is the primary word list in the
    <filename class="directory">/usr/share/dict</filename> directory. Omit this
    command if you already have a <filename>/usr/share/dict/words</filename>
    file installed on your system.</para>

    <para><command>echo $(hostname) >>...</command>: The value of
    <command>hostname</command> is echoed to a file called
    <filename>cracklib-extra-words</filename>. This extra file is intended to be
    a site specific list which includes easy to guess passwords such as company
    or department names, user's names, product names, computer names, domain
    names, etc.</para>

    <para><command>create-cracklib-dict ...</command>: This command creates the
    <application>CrackLib</application> dictionary from the word lists. Modify
    the command to add any additional word lists you have installed.</para>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>cracklib-check, cracklib-format, cracklib-packer,
        cracklib-unpacker and create-cracklib-dict</seg>
        <seg>libcrack.{so,a} and optionally, libcrack_heimdal.{so,a} and
        cracklibmodule.{so,a} <application>Python</application> module</seg>
        <seg>/lib/cracklib, /usr/share/dict and /usr/share/cracklib</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="create-cracklib-dict">
        <term><filename>create-cracklib-dict</filename></term>
        <listitem>
          <para>is used to create the <application>CrackLib</application>
          dictionary from the given word list(s).</para>
          <indexterm zone="cracklib create-cracklib-dict">
            <primary sortas="b-create-cracklib-dict">create-cracklib-dict</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libcrack">
        <term><filename class='libraryfile'>libcrack.{so,a}</filename></term>
        <listitem>
          <para>provides a fast dictionary lookup method for strong
          password enforcement.</para>
          <indexterm zone="cracklib libcrack">
            <primary sortas="c-libcrack">libcrack.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>