Participants
Peter Eisentraut
Peter Eisentraut
Daniel Gustafsson
Daniel Gustafsson
Laurenz Albe
Laurenz Albe
Attachments
Thread Outline
#1Peter EisentrautPeter Eisentraut
Aug 25, 2020
#2Daniel GustafssonDaniel Gustafssonto Peter Eisentraut (#1)
Aug 25, 2020
#3Laurenz AlbeLaurenz Albeto Daniel Gustafsson (#2)
Aug 25, 2020
#4Peter EisentrautPeter Eisentrautto Laurenz Albe (#3)
Aug 28, 2020

passwordcheck: Log cracklib diagnostics

Started by Peter Eisentrautover 5 years ago4 messages
#1Peter Eisentraut
Peter Eisentraut
peter.eisentraut@2ndquadrant.com
1 attachment(s)

A user tried to use the cracklib build-time option of the passwordcheck
module. This failed, as it turned out because there was no dictionary
installed in the right place, but the error was not properly reported,
because the existing code just throws away the error message from
cracklib. Attached is a patch that changes this by logging any error
message returned from the cracklib call.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Attachments:

0001-passwordcheck-Log-cracklib-diagnostics.patchtext/plain; charset=UTF-8; name=0001-passwordcheck-Log-cracklib-diagnostics.patch; x-mac-creator=0; x-mac-type=0Download
From 00d5c1e1a9b65339bee6449e49eab053fef2a34f Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <peter@eisentraut.org>
Date: Tue, 25 Aug 2020 12:12:42 +0200
Subject: [PATCH] passwordcheck: Log cracklib diagnostics

When calling cracklib to check the password, the diagnostic from
cracklib was thrown away.  This would hide essential information such
as no dictionary being installed.  Change this to show the cracklib
error message using errdetail_log().
---
 contrib/passwordcheck/passwordcheck.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/contrib/passwordcheck/passwordcheck.c b/contrib/passwordcheck/passwordcheck.c
index d5f9d14b01..70f056232f 100644
--- a/contrib/passwordcheck/passwordcheck.c
+++ b/contrib/passwordcheck/passwordcheck.c
@@ -91,6 +91,9 @@ check_password(const char *username,
 		int			i;
 		bool		pwd_has_letter,
 					pwd_has_nonletter;
+#ifdef USE_CRACKLIB
+		const char *reason;
+#endif
 
 		/* enforce minimum length */
 		if (pwdlen < MIN_PWD_LENGTH)
@@ -125,10 +128,11 @@ check_password(const char *username,
 
 #ifdef USE_CRACKLIB
 		/* call cracklib to check password */
-		if (FascistCheck(password, CRACKLIB_DICTPATH))
+		if ((reason = FascistCheck(password, CRACKLIB_DICTPATH)))
 			ereport(ERROR,
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("password is easily cracked")));
+					 errmsg("password is easily cracked"),
+					 errdetail_log("cracklib diagnostic: %s", reason)));
 #endif
 	}
 
-- 
2.28.0
#2Daniel Gustafsson
Daniel Gustafsson
daniel@yesql.se
In reply to: Peter Eisentraut (#1)
1 attachment(s)
Re: passwordcheck: Log cracklib diagnostics

On 25 Aug 2020, at 12:20, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:

A user tried to use the cracklib build-time option of the passwordcheck module. This failed, as it turned out because there was no dictionary installed in the right place, but the error was not properly reported, because the existing code just throws away the error message from cracklib. Attached is a patch that changes this by logging any error message returned from the cracklib call.

+1 on this, it's also in line with the example documentation from cracklib.
The returned error is potentially a bit misleading now, as it might say claim
that a strong password is easily cracked if the dictionary fails load. Given
that there is no way to distinguish between the class of returned errors it's
hard to see how we can do better though.

While poking at this, we might as well update the docs to point to the right
URL for CrackLib as it moved from Sourceforge five years ago. The attached
diff fixes that.

cheers ./daniel

Attachments:

cracklib_url.diffapplication/octet-stream; name=cracklib_url.diff; x-unix-mode=0644Download
diff --git a/doc/src/sgml/passwordcheck.sgml b/doc/src/sgml/passwordcheck.sgml
index 4128b6cc4f..0d89bb95b9 100644
--- a/doc/src/sgml/passwordcheck.sgml
+++ b/doc/src/sgml/passwordcheck.sgml
@@ -25,7 +25,7 @@
  <para>
   You can adapt this module to your needs by changing the source code.
   For example, you can use
-  <ulink url="https://sourceforge.net/projects/cracklib/">CrackLib</ulink>
+  <ulink url="https://github.com/cracklib/cracklib">CrackLib</ulink>
   to check passwords &mdash; this only requires uncommenting
   two lines in the <filename>Makefile</filename> and rebuilding the
   module.  (We cannot include <productname>CrackLib</productname>
#3Laurenz Albe
Laurenz Albe
laurenz.albe@cybertec.at
In reply to: Daniel Gustafsson (#2)
Re: passwordcheck: Log cracklib diagnostics

On Tue, 2020-08-25 at 13:48 +0200, Daniel Gustafsson wrote:

On 25 Aug 2020, at 12:20, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:

A user tried to use the cracklib build-time option of the passwordcheck module. This failed, as it turned out because there was no dictionary installed in the right place, but the error was not
properly reported, because the existing code just throws away the error message from cracklib. Attached is a patch that changes this by logging any error message returned from the cracklib call.

+1 on this, it's also in line with the example documentation from cracklib.
The returned error is potentially a bit misleading now, as it might say claim
that a strong password is easily cracked if the dictionary fails load. Given
that there is no way to distinguish between the class of returned errors it's
hard to see how we can do better though.

While poking at this, we might as well update the docs to point to the right
URL for CrackLib as it moved from Sourceforge five years ago. The attached
diff fixes that.

+1 on both patches.

Yours,
Laurenz Albe

#4Peter Eisentraut
Peter Eisentraut
peter.eisentraut@2ndquadrant.com
In reply to: Laurenz Albe (#3)
Re: passwordcheck: Log cracklib diagnostics

On 2020-08-25 15:32, Laurenz Albe wrote:

On Tue, 2020-08-25 at 13:48 +0200, Daniel Gustafsson wrote:

On 25 Aug 2020, at 12:20, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:

A user tried to use the cracklib build-time option of the passwordcheck module. This failed, as it turned out because there was no dictionary installed in the right place, but the error was not
properly reported, because the existing code just throws away the error message from cracklib. Attached is a patch that changes this by logging any error message returned from the cracklib call.

+1 on this, it's also in line with the example documentation from cracklib.
The returned error is potentially a bit misleading now, as it might say claim
that a strong password is easily cracked if the dictionary fails load. Given
that there is no way to distinguish between the class of returned errors it's
hard to see how we can do better though.

While poking at this, we might as well update the docs to point to the right
URL for CrackLib as it moved from Sourceforge five years ago. The attached
diff fixes that.

+1 on both patches.

Pushed both patches, thanks.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

← Back to Topics