Introduction to CrackLib
The CrackLib package contains a
library used to enforce strong passwords by comparing user selected
passwords to words in chosen word lists.
Note
Development versions of BLFS may not build or run some packages
properly if LFS or dependencies have been updated since the most
recent stable versions of the books.
Package Information
Additional Downloads
Recommended word list for English-speaking countries:
There are additional word lists available for download, e.g., from
https://wiki.skullsecurity.org/index.php/Passwords.
CrackLib can utilize as many, or
as few word lists you choose to install.
Important
Users tend to base their passwords on regular words of the spoken
language, and crackers know that. CrackLib is intended to filter out such bad
passwords at the source using a dictionary created from word
lists. To accomplish this, the word list(s) for use with
CrackLib must be an exhaustive
list of words and word-based keystroke combinations likely to be
chosen by users of the system as (guessable) passwords.
The default word list recommended above for downloading mostly
satisfies this role in English-speaking countries. In other
situations, it may be necessary to download (or even create)
additional word lists.
Note that word lists suitable for spell-checking are not usable
as CrackLib word lists in
countries with non-Latin based alphabets, because of “word-based keystroke
combinations” that make bad passwords.
Installation of CrackLib
Install CrackLib by running the
following commands:
autoreconf &&
CPPFLAGS+=' -I /usr/include/python3.13' \
./configure --prefix=/usr \
--disable-static \
--with-default-dict=/usr/lib/cracklib/pw_dict &&
sed -e 's/makeSuite/TestLoader().loadTestsFromTestCase/' \
-i ./python/test_cracklib.py &&
make
Now, as the root
user:
make install
Issue the following commands as the root
user to install the recommended word list
and create the CrackLib
dictionary. Other word lists (text based, one word per line) can
also be used by simply installing them into /usr/share/dict
and adding them to the
create-cracklib-dict
command.
install -v -m644 -D ../cracklib-words-2.10.2.xz \
/usr/share/dict/cracklib-words.xz &&
unxz -v /usr/share/dict/cracklib-words.xz &&
ln -v -sf cracklib-words /usr/share/dict/words &&
echo $(hostname) >> /usr/share/dict/cracklib-extra-words &&
install -v -m755 -d /usr/lib/cracklib &&
create-cracklib-dict /usr/share/dict/cracklib-words \
/usr/share/dict/cracklib-extra-words
If desired, check the proper operation of the library as an
unprivileged user by issuing the following command:
make test
If desired, test the Python module with:
python3 -c 'import cracklib; cracklib.test()'
Important
If you are installing CrackLib
after your LFS system has been completed and you have the
Shadow package installed, you
must reinstall Shadow-4.16.0 if you wish to provide strong
password support on your system. If you are now going to install
the Linux-PAM-1.7.0 package, you may disregard
this note as Shadow will be
reinstalled after the Linux-PAM
installation.
Command Explanations
autoreconf: This
command resets the configuration to recognize Python-3.13.
CPPFLAGS+=' -I /usr/include/python3.13'
:
This environment variable is needed to allow the package to find
the Python-3.13 include files.
--with-default-dict=/usr/lib/cracklib/pw_dict
:
This parameter forces the installation of the CrackLib dictionary to the /lib
hierarchy.
--disable-static
: This
switch prevents installation of static versions of the libraries.
sed ...
./python/test_cracklib.py: This command updates the
build procedure for the Python module for Python-3.13 and later..
install -v -m644 -D
...: This command creates the /usr/share/dict
directory (if it doesn't already
exist) and installs the compressed word list there.
ln -v -s cracklib-words
/usr/share/dict/words: The word list is linked to
/usr/share/dict/words
as
historically, words
is the primary
word list in the /usr/share/dict
directory. Omit this command if you already have a /usr/share/dict/words
file installed on your
system.
echo $(hostname)
>>...: The value of hostname is echoed to a file
called cracklib-extra-words
. This
extra file is intended to be a site specific list which includes
easy to guess passwords such as company or department names, user
names, product names, computer names, domain names, etc.
create-cracklib-dict
...: This command creates the CrackLib dictionary from the word lists.
Modify the command to add any additional word lists you have
installed.