Copyright © 1998, 1999 Jean Pierre LeJacq
Copyright © 2003 Martin Pitt
Copyright © 2008 Jan Dittberner
$Date: 2008-06-26 21:38:06 +0200 (Do, 26 Jun 2008) $
cracklib2 is a library containing a C function which may be used in a passwd (1) like program. The idea is simple: try to prevent users from choosing passwords that could be guessed by crack by filtering them out, at source. cracklib2 is not a replacement passwd (1) program. cracklib2 is a library.
cracklib-runtime contains run-time support programs which use the shared library in libcrack2 including programs to build the password dictionary databases used by the functions in the shared library.
cracklib-format takes a list of text files each containing a list of words, one per line, It lowercases all words, removes control characters, and sorts the lists. It outputs the cleaned up list to standard output.
For more information see the manual page of cracklib-format.
cracklib-packer reads from standard input a list of sorted and cleaned words and creates a database from the result.
For more information see the manual page of cracklib-packer.
cracklib-unpacker reads from a database created by cracklib-packer and outputs on standard output the list of words that make up the database.
For more information see the manual page of cracklib-unpacker.
create-cracklib-dict takes one or more word list files as arguments and converts them into cracklib dictionaries for use by password checking programs. The results are placed in the default compiled-in dictionary location (Section 3.1).
If you wish to store the dictionary in a different location, use the cracklib-format and cracklib-packer commands directly.
cracklib-check takes a list of passwords from stdin and checks them via libcrack2's FascistCheck sub routine.
cracklib-check prints each checked password and the corresponding result of FascistCheck to stdout. The password and the result are separated by a colon.
update-cracklib uses cracklib-format and cracklib-packer to update the default cracklib dictionary it uses the word lists configured in /etc/cracklib/cracklib.conf.
For more information see the manual page of cracklib-format.
cracklib2 uses a word database that is in a binary format generated by the utilities cracklib-format and cracklib-packer. Three files are created with the suffixes of .hwm, .pwd, and .pwi. These files are not byte-order independent, in fact they are probably architecture specific, mostly due to speed constraints.
All cracklib utilities can use a dictionary database location specified as a command line argument. The utilities use a default dictionary database if nothing else is specified. On a Debian system the database is located in the directory /var/cache/cracklib/cracklib_dict and is generated daily with the program /etc/cron.daily/cracklib.
cracklib2 is only as good as the word dictionary database you create. Basically, you want to include any word that a malicious user could guess. It could include:
Names (including nicknames and user ids) of all users.
Names of pets, relatives, cars, ... of all users.
Computer, network, printer, ... names.
Insurance numbers, employee numbers, ... of users. * ...
Debian provides a number of word lists that can be used as sources for creating the cracklib2 dictionary database. The package wenglish provides a standard ASCII word list that can be directly used. The package ispell also supplies a large word list but it is in binary format. I haven't figured out how to decode this binary format so that the resulting word list can be used by cracklib2.