Beyond Linux® From Scratch (systemd Edition) - Version r12.0-816

Chapter 4. Security

CrackLib-2.9.11

Introduction to CrackLib

The CrackLib package contains a library used to enforce strong passwords by comparing user selected passwords to words in chosen word lists.

[Note]

Note

Development versions of BLFS may not build or run some packages properly if LFS or dependencies have been updated since the most recent stable versions of the books.

Package Information

Additional Downloads

Recommended word list for English-speaking countries:

There are additional word lists available for download, e.g., from https://wiki.skullsecurity.org/index.php/Passwords. CrackLib can utilize as many, or as few word lists you choose to install.

[Important]

Important

Users tend to base their passwords on regular words of the spoken language, and crackers know that. CrackLib is intended to filter out such bad passwords at the source using a dictionary created from word lists. To accomplish this, the word list(s) for use with CrackLib must be an exhaustive list of words and word-based keystroke combinations likely to be chosen by users of the system as (guessable) passwords.

The default word list recommended above for downloading mostly satisfies this role in English-speaking countries. In other situations, it may be necessary to download (or even create) additional word lists.

Note that word lists suitable for spell-checking are not usable as CrackLib word lists in countries with non-Latin based alphabets, because of word-based keystroke combinations that make bad passwords.

Installation of CrackLib

Install CrackLib by running the following commands: 

autoreconf -fiv &&

PYTHON=python3               \
./configure --prefix=/usr    \
            --disable-static \
            --with-default-dict=/usr/lib/cracklib/pw_dict &&
make

Now, as the root user: 

make install

Issue the following commands as the root user to install the recommended word list and create the CrackLib dictionary. Other word lists (text based, one word per line) can also be used by simply installing them into /usr/share/dict and adding them to the create-cracklib-dict command. 

install -v -m644 -D    ../cracklib-words-2.9.11.xz \
                         /usr/share/dict/cracklib-words.xz    &&

unxz -v                  /usr/share/dict/cracklib-words.xz    &&
ln -v -sf cracklib-words /usr/share/dict/words                &&
echo $(hostname) >>      /usr/share/dict/cracklib-extra-words &&
install -v -m755 -d      /usr/lib/cracklib                    &&

create-cracklib-dict     /usr/share/dict/cracklib-words \
                         /usr/share/dict/cracklib-extra-words

If desired, check the proper operation of the library as an unprivileged user by issuing the following command: 

make test
[Important]

Important

If you are installing CrackLib after your LFS system has been completed and you have the Shadow package installed, you must reinstall Shadow-4.14.2 if you wish to provide strong password support on your system. If you are now going to install the Linux-PAM-1.5.3 package, you may disregard this note as Shadow will be reinstalled after the Linux-PAM installation.

Command Explanations

autoreconf -fiv: The configure script shipped with the package is too old to get the right version string of Python 3.10 or later. This command regenerates it with a more recent version of autotools, which fixes the issue.

PYTHON=python3: This forces the installation of python bindings for Python 3, even if Python 2 is installed.

--with-default-dict=/lib/cracklib/pw_dict: This parameter forces the installation of the CrackLib dictionary to the /lib hierarchy.

--disable-static: This switch prevents installation of static versions of the libraries.

install -v -m644 -D ...: This command creates the /usr/share/dict directory (if it doesn't already exist) and installs the compressed word list there.

ln -v -s cracklib-words /usr/share/dict/words: The word list is linked to /usr/share/dict/words as historically, words is the primary word list in the /usr/share/dict directory. Omit this command if you already have a /usr/share/dict/words file installed on your system.

echo $(hostname) >>...: The value of hostname is echoed to a file called cracklib-extra-words. This extra file is intended to be a site specific list which includes easy to guess passwords such as company or department names, user names, product names, computer names, domain names, etc.

create-cracklib-dict ...: This command creates the CrackLib dictionary from the word lists. Modify the command to add any additional word lists you have installed.

Contents

Installed Programs: cracklib-check, cracklib-format, cracklib-packer, cracklib-unpacker, cracklib-update, and create-cracklib-dict
Installed Libraries: libcrack.so and the _cracklib.so (Python module)
Installed Directories: /usr/lib/cracklib, /usr/share/dict and /usr/share/cracklib

Short Descriptions

cracklib-check

is used to determine if a password is strong

cracklib-format

is used to format text files (lowercases all words, removes control characters and sorts the lists)

cracklib-packer

creates a database with words read from standard input

cracklib-unpacker

displays on standard output the database specified

create-cracklib-dict

is used to create the CrackLib dictionary from the given word list(s)

libcrack.so

provides a fast dictionary lookup method for strong password enforcement