Introduction to CrackLib
2013-09-11The CrackLib package contains a library used to enforce strong passwords by comparing user selected passwords to words in chosen word lists.
1、在设置密码时,系统会提示:It's bad password! It's way too short!这些bad password存储在哪里呢?
2、/usr/lib/cracklib_dict.pwd密码字典
linux系统中有个字典文件叫/usr/lib/cracklib_dict.pwd,使用这个文件中记录的字符作为密码,系统都会提示密码太简单!
3、相关网址
http://www.linuxfromscratch.org/blfs/view/stable/postlfs/cracklib.html
http://downloads.sourceforge.net/cracklib/cracklib-words-20080203.gz
http://downloads.sourceforge.net/cracklib/cracklib-2.8.12.tar.gz
4、安装
#####################################################################################
./configure --prefix=/usr \
--with-default-dict=/lib/cracklib/pw_dict &&
make
make install &&
mv -v /usr/lib/libcrack.so.2* /lib &&
ln -v -sf ../../lib/libcrack.so.2.8.0 /usr/lib/libcrack.so
install -v -m644 -D ../cracklib-words-20080203.gz \
/usr/share/dict/cracklib-words.gz &&
gunzip -v /usr/share/dict/cracklib-words.gz &&
ln -v -s cracklib-words /usr/share/dict/words &&
echo $(hostname) >>/usr/share/dict/cracklib-extra-words &&
install -v -m755 -d /lib/cracklib &&
create-cracklib-dict /usr/share/dict/cracklib-words \
/usr/share/dict/cracklib-extra-words
create-cracklib-dict: This command creates the CrackLib dictionary from the word lists. Modify the command to add any
additional word lists you have installed.
#####################################################################################
5、strings /usr/lib/cracklib_dict.pwd >> passwd.txt提取密码
6、gzip -d cracklib-2.8.12.tar.gz
grep password cracklib-words-20080203
john -w:cracklib-words-20080203 a.txt
7、cracklib原理
#ifndef CRACKLIB_DICTPATH
#define CRACKLIB_DICTPATH "/usr/local/lib/pw_dict"
#endif
...
...
...
char *msg;
while(1) {
passbuf = getpass("请设定新密码:");
if (!*passbuf) {
(void)printf("密码设定取消, 继续使用旧密码\n");
break;
}
if (strlen(pussbuf) <= 4 ││ !strcmp( passbuf, newuser.userid ) ) {
(void)printf("密码太短或与使用者代号相同, 请重新输入\n ");
continue;
}
if (msg = (char*) FascistCheck(passbuf, CRACKLIBPATH)) {
printf("请另选密码! (%s)\n",msg);
continue;
}
strncpy( newuser.passwd, passbuf, PASSLEN );
passbuf = getpass("请再输入一次你的密码 );
if( strncmp( passbuf, newuser.passwd, PASSLEN ) != 0 ) {
prints("密码输入错误, 请重新输入密码.\n") ;
continue;
}
passbuf[8] = '\0' ;
break;
}