source: postlfs/security/cracklib.xml@ 1976445

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
   "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY cracklib-download-http "http://prdownloads.sourceforge.net/cracklib/cracklib-&cracklib-version;.tar.gz">
  <!ENTITY cracklib-download-ftp  " ">
  <!ENTITY cracklib-http-md5sum   "3cef136fe33fc40c57f7514d9aa90c51">
  <!ENTITY cracklib-size          "574 KB">
  <!ENTITY cracklib-buildsize     "28.7 MB (without Python bindings)">
  <!ENTITY cracklib-time          "0.1 SBU">
  <!ENTITY crackdict-download     "http://prdownloads.sourceforge.net/cracklib/cracklib-words.gz">
  <!ENTITY crackdict-size         "4.4 MB">
  <!ENTITY crackdict-md5sum       "d18e670e5df560a8745e1b4dede8f84f">
]>

<sect1 id="cracklib" xreflabel="CrackLib-&cracklib-version;">
  <?dbhtml filename="cracklib.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>CrackLib-&cracklib-version;</title>

  <indexterm zone="cracklib">
    <primary sortas="a-CrackLib">CrackLib</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to CrackLib</title>

    <para>The <application>CrackLib</application> package contains a
    library used to enforce strong passwords by comparing user selected
    passwords to words in chosen word lists.</para>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&cracklib-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&cracklib-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &cracklib-http-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &cracklib-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &cracklib-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &cracklib-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing='compact'>
      <listitem>
        <para>Recommended word list for English-speaking countries (size:
        &crackdict-size;; md5sum: &crackdict-md5sum;):
        <ulink url="&crackdict-download;"/></para>
      </listitem>
      <listitem>
        <para>Required patch to create a library used with the Heimdal
        Kerberos 5 package: <ulink
        url="&patch-root;/cracklib-&cracklib-version;-heimdal-1.patch"/></para>
      </listitem>
    </itemizedlist>

    <para>There are additional word lists available for download, e.g., from
    <ulink url="http://www.cotse.com/tools/wordlists.htm"/>.
    <application>CrackLib</application> can utilize as many, or as few word
    lists you choose to install.</para>

    <important>
      <para>Users tend to base their passwords on regular words of the spoken
      language, and crackers know that. <application>CrackLib</application> is
      intended to filter out such bad passwords at the source using a
      dictionary created from word lists. To accomplish this, the word list(s)
      for use with <application>CrackLib</application> must be an exhaustive
      list of words and word-based keystroke combinations likely to be chosen
      by users of the system as (guessable) passwords.</para>

      <para>The default word list recommended above for downloading mostly
      satisfies this role in English-speaking countries. In other situations,
      it may be necessary to download (or even create) additional word
      lists.</para>

      <para>Note that word lists suitable for spell-checking are not usable
      as <application>CrackLib</application> word lists in countries with
      non-Latin based alphabets, because of <quote>word-based keystroke
      combinations</quote> that make bad passwords.</para>
    </important>

    <bridgehead renderas="sect3">CrackLib Dependencies</bridgehead>
    
    <bridgehead renderas="sect4">Optional</bridgehead>
    <para><xref linkend="python"/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of CrackLib</title>

    <para>If desired, apply the <application>Heimdal</application> patch
    (note that with this patch the original library is not affected; this patch
    only creates an additional library used by the
    <application>Heimdal</application> password-checking routines):</para>

<screen><userinput>patch -Np1 -i ../cracklib-&cracklib-version;-heimdal-1.patch</userinput></screen>

    <para>Install <application>CrackLib</application> by running the following
    commands:</para>

<screen><userinput>./configure --prefix=/usr \
            --with-default-dict=/lib/cracklib/pw_dict &amp;&amp;
make</userinput></screen>

    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install &amp;&amp;
mv -v /usr/lib/libcrack.so.2* /lib &amp;&amp;
ln -v -sf ../../lib/libcrack.so.2.8.0 /usr/lib/libcrack.so</userinput></screen>

    <para>Issue the following commands as the
    <systemitem class="username">root</systemitem> user to install the
    recommended word list and create the <application>CrackLib</application>
    dictionary. Other word lists (text based, one word per line) can also be
    used by simply installing them into
    <filename class='directory'>/usr/share/dict</filename> and adding them
    to the <command>create-cracklib-dict</command> command.</para>

<screen role="root"><userinput>install -v -m644 -D ../cracklib-words.gz \
    /usr/share/dict/cracklib-words.gz &amp;&amp;
gunzip -v /usr/share/dict/cracklib-words.gz &amp;&amp;
ln -v -s cracklib-words /usr/share/dict/words &amp;&amp;
echo $(hostname) >>/usr/share/dict/cracklib-extra-words &amp;&amp;
install -v -m755 -d /lib/cracklib &amp;&amp;
create-cracklib-dict /usr/share/dict/cracklib-words \
                     /usr/share/dict/cracklib-extra-words</userinput></screen>

    <para>If desired, check the proper operation of the library as an
    unprivileged user using the tests included with the package:</para>

<screen><userinput>make test</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><parameter>--with-default-dict=/lib/cracklib/pw_dict</parameter>:
    This parameter forces the installation of the
    <application>CrackLib</application> dictionary to the
    <filename class='directory'>/lib</filename> hierarchy.</para>

    <para><command>mv -v /usr/lib/libcrack.so.2* /lib</command> and
    <command>ln -v -sf ../../lib/libcrack.so.2.8.0 ...</command>: These two
    commands move the <filename class='libraryfile'>libcrack.so.2.8.0</filename>
    library and associated symlink from
    <filename class='directory'>/usr/lib</filename> to
    <filename class='directory'>/lib</filename>, then recreates the
    <filename class='symlink'>/usr/lib/libcrack.so</filename> symlink pointing
    to the relocated file.</para>

    <para><command>install -v -m644 -D ...</command>: This command creates the
    <filename class='directory'>/usr/share/dict</filename> directory (if it
    doesn't already exist) and installs the compressed word list there.</para>

    <para><command>ln -v -s cracklib-words /usr/share/dict/words</command>: The
    word list is linked to <filename>/usr/share/dict/words</filename> as
    historically, <filename>words</filename> is the primary word list in the
    <filename class="directory">/usr/share/dict</filename> directory. Omit this
    command if you already have a <filename>/usr/share/dict/words</filename>
    file installed on your system.</para>

    <para><command>echo $(hostname) >>...</command>: The value of
    <command>hostname</command> is echoed to a file called
    <filename>cracklib-extra-words</filename>. This extra file is intended to be
    a site specific list which includes easy to guess passwords such as company
    or department names, user's names, product names, computer names, domain
    names, etc.</para>

    <para><command>create-cracklib-dict ...</command>: This command creates the
    <application>CrackLib</application> dictionary from the word lists. Modify
    the command to add any additional word lists you have installed.</para>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>cracklib-check, cracklib-format, cracklib-packer,
        cracklib-unpacker and create-cracklib-dict</seg>
        <seg>libcrack.[so,a] and optionally, libcrack_heimdal.[so,a] and
        cracklibmodule.[so,a] <application>Python</application> module</seg>
        <seg>/lib/cracklib, /usr/share/dict and /usr/share/cracklib</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="create-cracklib-dict">
        <term><filename>create-cracklib-dict</filename></term>
        <listitem>
          <para>is used to create the <application>CrackLib</application>
          dictionary from the given word list(s).</para>
          <indexterm zone="cracklib create-cracklib-dict">
            <primary sortas="b-create-cracklib-dict">create-cracklib-dict</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libcrack">
        <term><filename class='libraryfile'>libcrack.[so,a]</filename></term>
        <listitem>
          <para>provides a fast dictionary lookup method for strong
          password enforcement.</para>
          <indexterm zone="cracklib libcrack">
            <primary sortas="c-libcrack">libcrack.[so,a]</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>