Make the cracklib check optional - on by default.

author: Tomas Mraz <tmraz@redhat.com> 2015-07-16 13:57:57 +0200
committer: Tomas Mraz <tmraz@redhat.com> 2015-07-16 13:57:57 +0200
commit: 81cd3fc9c56e5fa8dcc258aac8f1a84dd287b4fa (patch)
tree: bf54f557c72e18bf59a7ecab12ef15f39c6c1180
parent: b0810b9b2555fcf4870420688da8878260c0261c (diff)
download: libpwquality-81cd3fc9c56e5fa8dcc258aac8f1a84dd287b4fa.tar.gz
7 files changed, 44 insertions, 9 deletions
diff --git a/doc/man/pam_pwquality.8 b/doc/man/pam_pwquality.8
index b1f35e3..31ab6d4 100644
--- a/doc/man/pam_pwquality.8
+++ b/doc/man/pam_pwquality.8
@@ -250,6 +250,16 @@ field of the user are contained in the new password\&.
 The default is 0 which means that this check is disabled\&.
 .RE
 .PP
+\fBdictcheck=\fR\fB\fIN\fR\fR
+.RS 4
+If nonzero, check whether the password (with possible modifications)
+matches a word in a dictionary\&. Currently the dictionary check is performed
+using the
+\fBcracklib\fR
+library\&.
+The default is 1 which means that this check is enabled\&.
+.RE
+.PP
 \fBbadwords=\fR\fB\fI<list of words>\fR\fR
 .RS 4
 The words more than 3 characters long from this space separated list are
diff --git a/doc/man/pwquality.conf.5 b/doc/man/pwquality.conf.5
index a2d2d70..7315e1c 100644
--- a/doc/man/pwquality.conf.5
+++ b/doc/man/pwquality.conf.5
@@ -99,6 +99,13 @@ field of the user's passwd entry are contained in the new password.
 The check is disabled if the value is 0. (default 0)
 .RE
 .PP
+\fBdictcheck\fR
+.RS 4
+If nonzero, check whether the password (with possible modifications)
+matches a word in a dictionary. Currently the dictionary check is performed
+using the cracklib library. (default 1)
+.RE
+.PP
 \fBbadwords\fR
 .RS 4
 Space separated list of words that must not be contained in the password. These
diff --git a/python/pwquality.c b/python/pwquality.c
index fdf24f8..dfe72af 100644
--- a/python/pwquality.c
+++ b/python/pwquality.c
@@ -126,6 +126,11 @@ static PyGetSetDef pwqsettings_getseters[] = {
                 "Match words from the passwd GECOS field if available",
                 (void *)PWQ_SETTING_GECOS_CHECK
         },
+        { "dictcheck",
+                (getter)pwqsettings_getint, (setter)pwqsettings_setint,
+                "Perform the dictionary check",
+                (void *)PWQ_SETTING_DICT_CHECK
+        },
         { "badwords",
                 (getter)pwqsettings_getstr, (setter)pwqsettings_setstr,
                 "List of words more than 3 characters long that are forbidden",
diff --git a/src/check.c b/src/check.c
index 8b59f2f..d1c59b7 100644
--- a/src/check.c
+++ b/src/check.c
@@ -669,11 +669,13 @@ pwquality_check(pwquality_settings_t *pwq, const char *password,
         if (score != 0)
                 return score;
 
-        msg = FascistCheck(password, pwq->dict_path);
-        if (msg) {
-                if (auxerror)
-                        *auxerror = (void *)msg;
-                return PWQ_ERROR_CRACKLIB_CHECK;
+        if (pwq->dict_check) {
+                msg = FascistCheck(password, pwq->dict_path);
+                if (msg) {
+                        if (auxerror)
+                                *auxerror = (void *)msg;
+                        return PWQ_ERROR_CRACKLIB_CHECK;
+                }
         }
 
         score = password_score(pwq, password);
@@ -684,8 +686,8 @@ pwquality_check(pwquality_settings_t *pwq, const char *password,
 /*
  * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1996.
  *                                              All rights reserved
- * Copyright (c) Red Hat, Inc, 2011
- * Copyright (c) Tomas Mraz <tm@t8m.info>, 2011
+ * Copyright (c) Red Hat, Inc, 2011, 2015
+ * Copyright (c) Tomas Mraz <tm@t8m.info>, 2011, 2015
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/pwqprivate.h b/src/pwqprivate.h
index 692fae6..6b0e9e2 100644
--- a/src/pwqprivate.h
+++ b/src/pwqprivate.h
@@ -24,6 +24,7 @@ struct pwquality_settings {
         int max_class_repeat;
         int max_sequence;
         int gecos_check;
+        int dict_check;
         char *bad_words;
         char *dict_path;
 };
@@ -40,6 +41,7 @@ struct setting_mapping {
 #define PWQ_DEFAULT_UP_CREDIT    0
 #define PWQ_DEFAULT_LOW_CREDIT   0
 #define PWQ_DEFAULT_OTH_CREDIT   0
+#define PWQ_DEFAULT_DICT_CHECK   1
 
 #define PWQ_TYPE_INT             1
 #define PWQ_TYPE_STR             2
diff --git a/src/pwquality.h b/src/pwquality.h
index 698351f..2f09e82 100644
--- a/src/pwquality.h
+++ b/src/pwquality.h
@@ -27,6 +27,7 @@ extern "C" {
 #define PWQ_SETTING_GECOS_CHECK     12
 #define PWQ_SETTING_BAD_WORDS       13
 #define PWQ_SETTING_MAX_SEQUENCE    14
+#define PWQ_SETTING_DICT_CHECK      15
 
 #define PWQ_MAX_ENTROPY_BITS       256
 #define PWQ_MIN_ENTROPY_BITS       56
diff --git a/src/settings.c b/src/settings.c
index 6c242e8..655f262 100644
--- a/src/settings.c
+++ b/src/settings.c
@@ -32,6 +32,7 @@ pwquality_default_settings(void)
         pwq->up_credit = PWQ_DEFAULT_UP_CREDIT;
         pwq->low_credit = PWQ_DEFAULT_LOW_CREDIT;
         pwq->oth_credit = PWQ_DEFAULT_OTH_CREDIT;
+        pwq->dict_check = PWQ_DEFAULT_DICT_CHECK;
 
         return pwq;
 }
@@ -59,6 +60,7 @@ static const struct setting_mapping s_map[] = {
  { "maxclassrepeat", PWQ_SETTING_MAX_CLASS_REPEAT, PWQ_TYPE_INT},
  { "maxsequence", PWQ_SETTING_MAX_SEQUENCE, PWQ_TYPE_INT},
  { "gecoscheck", PWQ_SETTING_GECOS_CHECK, PWQ_TYPE_INT},
+ { "dictcheck", PWQ_SETTING_DICT_CHECK, PWQ_TYPE_INT},
  { "badwords", PWQ_SETTING_BAD_WORDS, PWQ_TYPE_STR},
  { "dictpath", PWQ_SETTING_DICT_PATH, PWQ_TYPE_STR}
 };
@@ -252,6 +254,9 @@ pwquality_set_int_value(pwquality_settings_t *pwq, int setting, int value)
         case PWQ_SETTING_GECOS_CHECK:
                 pwq->gecos_check = value;
                 break;
+        case PWQ_SETTING_DICT_CHECK:
+                pwq->dict_check = value;
+                break;
         default:
                 return PWQ_ERROR_NON_INT_SETTING;
         }
@@ -326,6 +331,9 @@ pwquality_get_int_value(pwquality_settings_t *pwq, int setting, int *value)
         case PWQ_SETTING_GECOS_CHECK:
                 *value = pwq->gecos_check;
                 break;
+        case PWQ_SETTING_DICT_CHECK:
+                *value = pwq->dict_check;
+                break;
         default:
                 return PWQ_ERROR_NON_INT_SETTING;
         }
@@ -350,8 +358,8 @@ pwquality_get_str_value(pwquality_settings_t *pwq, int setting, const char **val
 }
 
 /*
- * Copyright (c) Red Hat, Inc, 2011
- * Copyright (c) Tomas Mraz <tm@t8m.info>, 2011
+ * Copyright (c) Red Hat, Inc, 2011, 2015
+ * Copyright (c) Tomas Mraz <tm@t8m.info>, 2011, 2015
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
author	Tomas Mraz <tmraz@redhat.com>	2015-07-16 13:57:57 +0200
committer	Tomas Mraz <tmraz@redhat.com>	2015-07-16 13:57:57 +0200
commit	81cd3fc9c56e5fa8dcc258aac8f1a84dd287b4fa (patch)
tree	bf54f557c72e18bf59a7ecab12ef15f39c6c1180
parent	b0810b9b2555fcf4870420688da8878260c0261c (diff)
download	libpwquality-81cd3fc9c56e5fa8dcc258aac8f1a84dd287b4fa.tar.gz