Debian Bug report logs - #364526
debian-installer: Please implement a password-checking module

version graph

Package: user-setup; Maintainer for user-setup is Debian Install System Team <debian-boot@lists.debian.org>; Source for user-setup is src:user-setup.

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Mon, 24 Apr 2006 01:18:59 UTC

Severity: wishlist

Merged with 409038

Found in version user-setup/1.1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package debian-installer. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Subject: debian-installer: Please implement a password-checking module
Date: Mon, 24 Apr 2006 02:53:41 +0200
[Message part 1 (text/plain, inline)]
Package: debian-installer
Version: 20060304
Tags: wishlist

Currently, the debian-installer warns the user to use a "secure" password (6
chars long, with different case letters and punctuation characters) but does
not make an attempt to determine if the user is indeed using one.

Since there are many SSH brute-forcers in the Internet now constantly probing
systems I think it's best if the d-i could warn the users when he "sees" a
user or root password that he believes is insecure.

There are two ways to do this:

- the hard way, like Owl [1], which implements a password checking module 
  (pam_passwdqc, which was written by Solar Designer) and goes even
  further by proposing random passwords if the user is unable to provide
  one.

- the simple way, see attached code, which just tries to flags vulnerable
  passwords 

IMHO, the installer should:

1.- ask for a password
2.- set the password
3.- check the password
4.- if the password is not "secure" warn the user and give him the
    option to change it (go back to 1) or to proceed

Maybe the check should just be done the first time the user enters a password
in order to avoid a frustating loop from the user POV of: "think a password",
"got it", "damn, the system refuses it", "try think another one", "got it",
"damn! he doesn't like this one either", etc.

If this idea has merit, please say so and I will try to integrate the
attached code with user-setup's user-setup-ask (maybe through a external
script instead of rewritting it in sh?)

Regards

Javier

[1] http://www.openwall.com/Owl/
[simple-password-check.pl (text/x-perl, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package `debian-installer' to `user-setup'. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@kheops.frmug.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #12 received at 364526@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@kheops.frmug.org>
To: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Tue, 25 Apr 2006 01:31:39 +0200
> There are two ways to do this:
> 
> - the hard way, like Owl [1], which implements a password checking module 
>   (pam_passwdqc, which was written by Solar Designer) and goes even
>   further by proposing random passwords if the user is unable to provide
>   one.
> 
> - the simple way, see attached code, which just tries to flags vulnerable
>   passwords 


I think this is an intersting suggestion. 

The only drawback I see is sounding a little bit annoying to our
users, especially the less skilled ones but, well, this is about
security and we have to use some pedagogy..:)

About the implementation, I'm not sure that I'm fond of the perl
scripting, mostly because the advantage of D-I is its easy
"hackability" for testing purposes....

I'd better see this integrated in user-setup-ask but my opinion does
not have to be the only one here....as I'm perfectly unable to do the
job, so the final decision is up to the one doing the job, I mean you,
Javier..

I prefer the "simple" method which is probably enough.

This will require writing a new template for warning users about weak
passwords. I suggest of course a boolean one, so that people who
insist on using weak password can do it.




Bug reassigned from package `user-setup' to `user-setup'. Request was from Frans Pop <aragorn@tiscali.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Masami Ichikawa <masami256@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #19 received at 364526@bugs.debian.org (full text, mbox):

From: Masami Ichikawa <masami256@gmail.com>
To: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sat, 16 Jun 2007 21:41:24 +0900
[Message part 1 (text/plain, inline)]
Hello.

I wrote a password checking feature implement by shell script in function.sh.
I attached a patch which name is passwd_check.patch.

This logic checks these.
1. The password length should be more than four.
2. The password shouldn't equal login account.
3. The password shouldn't contain login account.
 e.g. root's password doesn't allow these password.
      "root123"
      "123Root"
      "1ROOT23"
4. The password should contain lower cases, upper cases, numbers.

I'm not sure that people wants to use it.
so, I set a debconf priority low.

Cheers,
-- 
/*
 * Masami Ichikawa
 * mailto: hangar-18@mub.biglobe.ne.jp
 *       : masami256@gmail.com
 */
[passwd_check.patch (text/x-patch, inline)]
Index: functions.sh
===================================================================
--- functions.sh	(revision 47257)
+++ functions.sh	(working copy)
@@ -39,3 +39,53 @@
 
 	return 1
 }
+
+# Returns a true value if password seems to be a safety.
+chkpasswd ()
+{
+    user=$1
+    passwd=$2
+
+    user_len=`echo $user | wc -c`
+    passwd_len=`echo $passwd | wc -c`
+
+    # password length should be bigger than four.
+    if test $passwd_len -lt 5; then
+	return 0
+    fi
+
+    # password shouldn't be a login account.
+    if test "$user" = "$passwd"; then
+	return 0
+    fi
+
+    # password shouldn't contain login account.
+    ret=`echo $passwd | grep -ci $user`
+    if test $ret = 1; then
+	if test $passwd_len -ge $user_len; then 
+	    return 0
+	fi
+    fi
+
+    # The password should be this structure.
+    # 1) contain lower char and upper char
+    # 2) contain lower char and digit
+    # 3) contain upper char and digit
+    # 4) contain lower char and upper char and digit
+
+    ret=`echo $passwd | grep -c [a-z]`
+    num=$ret
+
+    ret=`echo $passwd | grep -c [A-Z]`
+    num=$(($num+$ret))
+
+    ret=`echo $passwd | grep -c [0-9]`
+    num=$(($num+$ret))
+
+    if test $num -lt 2; then
+	return 0
+    fi
+
+    return 1
+
+}
Index: debian/user-setup-udeb.templates
===================================================================
--- debian/user-setup-udeb.templates	(revision 47257)
+++ debian/user-setup-udeb.templates	(working copy)
@@ -43,6 +43,12 @@
  Please enter the same root password again to verify that you have typed it
  correctly.
 
+Template: passwd/chkpasswd
+Type: boolean
+Default: false
+_Description: : Check a password?
+ Safety password will make secure system.
+
 Template: passwd/make-user
 Type: boolean
 Default: true
@@ -110,6 +116,12 @@
  You entered an empty password, which is not allowed.
  Please choose a non-empty password.
 
+Template: user-setup/chkpasswd-bad
+Type: error
+_Description: The password does not seem safety.
+ The password you entered is not look safety. 
+ Please mix the capital letter, the small letter, and numbers with the password. 
+
 Template: passwd/shadow
 Type: boolean
 Default: true
Index: user-setup-ask
===================================================================
--- user-setup-ask	(revision 47257)
+++ user-setup-ask	(working copy)
@@ -37,6 +37,8 @@
 		db_input low passwd/shadow || true
 		# Ask if root should be allowed to login.
 		db_input medium passwd/root-login || true
+		# Ask if user wants to check a password
+		db_input low passwd/chkpasswd || true
 	;;
 	1)
 		db_get passwd/root-login
@@ -63,6 +65,9 @@
 			# root password will be locked
 			db_set passwd/root-password-again ""
 		elif ! root_password; then
+		        db_get passwd/chkpasswd || true
+			PW_CHK="$RET"
+
 			# First check whether the root password was preseeded crypted
 			db_get passwd/root-password-crypted || true
 			if ! test "$RET" ; then
@@ -78,6 +83,16 @@
 					STATE=0
 					continue
 				fi
+				if [ "$PW_CHK" = true ]; then
+				        if `chkpasswd "root" "$ROOT_PW"`; then
+					    db_fset user-setup/chkpasswd-bad seen false
+					    db_input critical user-setup/chkpasswd-bad
+					    db_fset passwd/root-password seen false
+					    db_fset passwd/root-password-again seen false
+					    STATE=0
+					    continue
+					fi		
+				fi
 				db_get passwd/root-password-again
 				if [ "$ROOT_PW" != "$RET" ]; then
 					db_fset user-setup/password-mismatch seen false
@@ -192,6 +207,19 @@
 					STATE=6
 					continue
 				fi
+				if [ "$PW_CHK" = true ]; then
+				        if `chkpasswd "$USER" "$USER_PW"`; then
+					    db_set passwd/user-password ""
+					    db_set passwd/user-password-again ""
+					    db_fset user-setup/chkpasswd-bad seen false
+					    db_input critical user-setup/chkpasswd-bad
+					    db_fset passwd/user-password seen false
+					    db_fset passwd/user-password-again seen false
+					    STATE=6
+					    continue
+					fi		
+				fi
+
 			fi
 		fi
 	;;

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Otavio Salvador <otavio@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #24 received at 364526@bugs.debian.org (full text, mbox):

From: Otavio Salvador <otavio@debian.org>
To: Masami Ichikawa <masami256@gmail.com>
Cc: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sat, 16 Jun 2007 09:58:16 -0300
Masami Ichikawa <masami256@gmail.com> writes:

> Hello.
>
> I wrote a password checking feature implement by shell script in function.sh.
> I attached a patch which name is passwd_check.patch.

I personally liked it a lot. I'd just want to ask you to check the
code indenting since it has some mistakes.

-- 
        O T A V I O    S A L V A D O R
---------------------------------------------
 E-mail: otavio@debian.org      UIN: 5906116
 GNU/Linux User: 239058     GPG ID: 49A5F855
 Home Page: http://otavio.ossystems.com.br
---------------------------------------------
"Microsoft sells you Windows ... Linux gives
 you the whole house."



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to stappers@stappers.nl (Geert Stappers):
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #29 received at 364526@bugs.debian.org (full text, mbox):

From: stappers@stappers.nl (Geert Stappers)
To: Masami Ichikawa <masami256@gmail.com>, 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sat, 16 Jun 2007 15:48:10 +0200
The programm code in the patch seems reasonable.
a Thing I like to see changed,
is "password check" into "password strength check"


Op 16-06-2007 om 21:41 schreef Masami Ichikawa:
> Hello.
> 
> I wrote a password checking feature implement by shell script in function.sh.

 a password strength checking feature


<snip what="header of patch"/>

> +# Returns a true value if password seems to be a safety.

# Return a true value if password seems to be strong enough

> +chkpasswd ()
chkpasswdstrength()

> +{
> +    user=$1
> +    passwd=$2
> +
> +    user_len=`echo $user | wc -c`
> +    passwd_len=`echo $passwd | wc -c`
> +
> +    # password length should be bigger than four.
> +    if test $passwd_len -lt 5; then
> +	return 0
> +    fi
> +
> +    # password shouldn't be a login account.
> +    if test "$user" = "$passwd"; then
> +	return 0
> +    fi
> +
> +    # password shouldn't contain login account.
> +    ret=`echo $passwd | grep -ci $user`
> +    if test $ret = 1; then
> +	if test $passwd_len -ge $user_len; then 

???
That check doesn't look reasonable ...
	
> +	    return 0
> +	fi
> +    fi
> +
> +}
> Index: debian/user-setup-udeb.templates
> ===================================================================
> --- debian/user-setup-udeb.templates	(revision 47257)
> +++ debian/user-setup-udeb.templates	(working copy)
> @@ -43,6 +43,12 @@
>   Please enter the same root password again to verify that you have typed it
>   correctly.
>  
> +Template: passwd/chkpasswd
   Template: passwd/chkpasswdstrength

> +Type: boolean
> +Default: false
> +_Description: : Check a password?
   _Description: : Check password strength?

> + Safety password will make secure system.
    Stronger password will make a more secure system.

> +
>  Template: passwd/make-user
>  Type: boolean
>  Default: true
> @@ -110,6 +116,12 @@
>   You entered an empty password, which is not allowed.
>   Please choose a non-empty password.
>  
> +Template: user-setup/chkpasswd-bad
   Template: user-setup/chkpasswdstrength-bad

> +Type: error
> +_Description: The password does not seem safety.
  +_Description: The password does not seem strong.

> + The password you entered is not look safety. 

  + The password you entered is not a strong password. 


> + Please mix the capital letter, the small letter, and numbers with the password. 

  + Make a mix of capital letters, small letters AND numbers for the password. 

> +
>  Template: passwd/shadow
>  Type: boolean
>  Default: true
> Index: user-setup-ask
> ===================================================================
> --- user-setup-ask	(revision 47257)
> +++ user-setup-ask	(working copy)
> @@ -37,6 +37,8 @@
>  		db_input low passwd/shadow || true
>  		# Ask if root should be allowed to login.
>  		db_input medium passwd/root-login || true
> +		# Ask if user wants to check a password
  +		# Ask if user wants to check password strength

> +		db_input low passwd/chkpasswd || true
  +		db_input low passwd/chkpasswdstrength || true

>  	;;
>  	1)
>  		db_get passwd/root-login
> @@ -63,6 +65,9 @@
>  			# root password will be locked
>  			db_set passwd/root-password-again ""
>  		elif ! root_password; then
> +		        db_get passwd/chkpasswd || true
  +		db_input low passwd/chkpasswdstrength || true

> +			PW_CHK="$RET"
> +
>  			# First check whether the root password was preseeded crypted
>  			db_get passwd/root-password-crypted || true
>  			if ! test "$RET" ; then
> @@ -78,6 +83,16 @@
>  					STATE=0
>  					continue
>  				fi
> +				if [ "$PW_CHK" = true ]; then
> +				        if `chkpasswd "root" "$ROOT_PW"`; then
> +					    db_fset user-setup/chkpasswd-bad seen false
  +					    db_fset user-setup/chkpasswdstrength-bad seen false

> +					    db_input critical user-setup/chkpasswd-bad
  +					    db_input critical user-setup/chkpasswdstrength-bad

> +					    db_fset passwd/root-password seen false
> +					    db_fset passwd/root-password-again seen false
> +					    STATE=0
> +					    continue
> +					fi		
> +				fi
>  				db_get passwd/root-password-again
>  				if [ "$ROOT_PW" != "$RET" ]; then
>  					db_fset user-setup/password-mismatch seen false
> @@ -192,6 +207,19 @@
>  					STATE=6
>  					continue
>  				fi
> +				if [ "$PW_CHK" = true ]; then
> +				        if `chkpasswd "$USER" "$USER_PW"`; then
> +					    db_set passwd/user-password ""
> +					    db_set passwd/user-password-again ""
> +					    db_fset user-setup/chkpasswd-bad seen false
  +					    db_fset user-setup/chkpasswdstrength-bad seen false

> +					    db_input critical user-setup/chkpasswd-bad
  +					    db_input critical user-setup/chkpasswdstrength-bad

> +					    db_fset passwd/user-password seen false
> +					    db_fset passwd/user-password-again seen false
> +					    STATE=6
> +					    continue
> +					fi		
> +				fi
> +
>  			fi
>  		fi
>  	;;


Cheers
Geert Stappers
-- 
Here some Bruce Schneider quote like
 "security is not having long passwords"




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Masami Ichikawa <masami256@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #34 received at 364526@bugs.debian.org (full text, mbox):

From: Masami Ichikawa <masami256@gmail.com>
To: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sat, 16 Jun 2007 23:18:52 +0900
Hello:-)

Thanks for Otavio Salvador and Geert Stappers to reviewing.
I'll repair the point pointed out ASAP.

Cheers,
-- 
/*
 * Masami Ichikawa
 * mailto: hangar-18@mub.biglobe.ne.jp
 *       : masami256@gmail.com
 */



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #39 received at 364526@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sat, 16 Jun 2007 16:10:21 +0200
[Message part 1 (text/plain, inline)]
Quoting Masami Ichikawa (masami256@gmail.com):
> Hello.
> 
> I wrote a password checking feature implement by shell script in function.sh.
> I attached a patch which name is passwd_check.patch.

Thanks a lot for this contribution which may help starting some work
about this feature.

Some ppl may find the checks slightly incomplete, but that doesn't
prevent anyone to improve them.

Please let me comment about the wording of the propsoed templates:

> I'm not sure that people wants to use it.
> so, I set a debconf priority low.

That's a tricky case ; Most of the time, the people who might need
such feature....are those who will run D-I at default priority.

I'd vote for the password strength check to be asked at low priority
so that "experts" can decide to skip it....BUT the default answer to
be "True".


> +Template: passwd/chkpasswd
> +Type: boolean
> +Default: false
> +_Description: : Check a password?
> + Safety password will make secure system.
> +

Template: passwd/chkpasswd
Type: boolean
Default: true
_Description: Reject weak passwords ?
 Please choose whether you want the entered passwords strength to be
 checked and passwords found as 'weak' to be rejected.

Template: user-setup/chkpasswd-bad
Type: error
_Description: Weak password
 The strength of the password you have chosen is low.
 .
 Weak passwords can compromize the system's security, so please
 choose another password.



[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Frans Pop <elendil@planet.nl>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #44 received at 364526@bugs.debian.org (full text, mbox):

From: Frans Pop <elendil@planet.nl>
To: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sat, 16 Jun 2007 20:27:18 +0200
[Message part 1 (text/plain, inline)]
On Saturday 16 June 2007 16:10, Christian Perrier wrote:
> _Description: Reject weak passwords ?

s/ ?/?/ !!!!!!!
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Masami Ichikawa <masami256@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #49 received at 364526@bugs.debian.org (full text, mbox):

From: Masami Ichikawa <masami256@gmail.com>
To: 364526@bugs.debian.org
Cc: debian-boot@lists.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sun, 17 Jun 2007 21:21:49 +0900
[Message part 1 (text/plain, inline)]
Hello.

Thanks for people who gave me comments:-)
I wrote a new patch which changed these.

* s/chkpasswd/checkpasswdstrength/
* fix indent.
* rewrote messages in user-setup-udeb.templates.
* default answer is true.
  The user has to choose a strong password now in default.

Cheers,
-- 
/*
 * Masami Ichikawa
 * mailto: hangar-18@mub.biglobe.ne.jp
 *       : masami256@gmail.com
 */
[chkpasswdstrength.patch (text/x-patch, inline)]
Index: functions.sh
===================================================================
--- functions.sh	(revision 47268)
+++ functions.sh	(working copy)
@@ -39,3 +39,53 @@
 
 	return 1
 }
+
+# Return a true value if password seems to be strong enough.
+chkpasswdstrength ()
+{
+	user=$1
+	passwd=$2
+
+	user_len=`echo $user | wc -c`
+	passwd_len=`echo $passwd | wc -c`
+
+	# password length should be bigger than four.
+	if test $passwd_len -lt 5; then
+		return 0
+	fi
+
+	# password shouldn't be a login account.
+	if test "$user" = "$passwd"; then
+		return 0
+	fi
+
+	# password shouldn't contain login account.
+	ret=`echo $passwd | grep -ci $user`
+	if test $ret = 1; then
+		if test $passwd_len -ge $user_len; then 
+			return 0
+		fi
+	fi
+
+	# The password should be this structure.
+	# 1) contain lower char and upper char
+	# 2) contain lower char and digit
+	# 3) contain upper char and digit
+	# 4) contain lower char and upper char and digit
+
+	ret=`echo $passwd | grep -c [a-z]`
+	num=$ret
+
+	ret=`echo $passwd | grep -c [A-Z]`
+	num=$(($num+$ret))
+
+	ret=`echo $passwd | grep -c [0-9]`
+	num=$(($num+$ret))
+
+	if test $num -lt 2; then
+		return 0
+	fi
+
+	return 1
+
+}
Index: debian/user-setup-udeb.templates
===================================================================
--- debian/user-setup-udeb.templates	(revision 47268)
+++ debian/user-setup-udeb.templates	(working copy)
@@ -43,6 +43,13 @@
  Please enter the same root password again to verify that you have typed it
  correctly.
 
+Template: passwd/chkpasswdstrength
+Type: boolean
+Default: true
+_Description: : Reject weak passwords?
+ Please choose whether you want the entered passwords strength to be
+ checked and passwords found as 'weak' to be rejected. 
+
 Template: passwd/make-user
 Type: boolean
 Default: true
@@ -110,6 +117,12 @@
  You entered an empty password, which is not allowed.
  Please choose a non-empty password.
 
+Template: user-setup/chkpasswdstrength-bad
+Type: error
+_Description: Weak password
+ choose another password that does contain numbers, upper and lower 
+ case characters.
+
 Template: passwd/shadow
 Type: boolean
 Default: true
Index: user-setup-ask
===================================================================
--- user-setup-ask	(revision 47268)
+++ user-setup-ask	(working copy)
@@ -37,6 +37,8 @@
 		db_input low passwd/shadow || true
 		# Ask if root should be allowed to login.
 		db_input medium passwd/root-login || true
+		# Ask if user wants to check a password
+		db_input low passwd/chkpasswdstrength || true
 	;;
 	1)
 		db_get passwd/root-login
@@ -63,6 +65,9 @@
 			# root password will be locked
 			db_set passwd/root-password-again ""
 		elif ! root_password; then
+		        db_get passwd/chkpasswdstrength || true
+			PW_CHK="$RET"
+
 			# First check whether the root password was preseeded crypted
 			db_get passwd/root-password-crypted || true
 			if ! test "$RET" ; then
@@ -78,6 +83,16 @@
 					STATE=0
 					continue
 				fi
+				if [ "$PW_CHK" = true ]; then
+					if `chkpasswdstrength "root" "$ROOT_PW"`; then
+						db_fset user-setup/chkpasswdstrength-bad seen false
+						db_input critical user-setup/chkpasswdstrength-bad
+						db_fset passwd/root-password seen false
+						db_fset passwd/root-password-again seen false
+						STATE=0
+						continue
+					fi		
+				fi
 				db_get passwd/root-password-again
 				if [ "$ROOT_PW" != "$RET" ]; then
 					db_fset user-setup/password-mismatch seen false
@@ -192,6 +207,19 @@
 					STATE=6
 					continue
 				fi
+				if [ "$PW_CHK" = true ]; then
+					if `chkpasswdstrength "$USER" "$USER_PW"`; then
+						db_set passwd/user-password ""
+						db_set passwd/user-password-again ""
+						db_fset user-setup/chkpasswdstrength-bad seen false
+						db_input critical user-setup/chkpasswdstrength-bad
+						db_fset passwd/user-password seen false
+						db_fset passwd/user-password-again seen false
+						STATE=6
+						continue
+					fi		
+				fi
+
 			fi
 		fi
 	;;

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to stappers@stappers.nl (Geert Stappers):
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #54 received at 364526@bugs.debian.org (full text, mbox):

From: stappers@stappers.nl (Geert Stappers)
To: Masami Ichikawa <masami256@gmail.com>
Cc: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sun, 17 Jun 2007 18:04:46 +0200
Op 17-06-2007 om 21:21 schreef Masami Ichikawa:
 <snip/>
> +	# password shouldn't contain login account.
> +	ret=`echo $passwd | grep -ci $user`
> +	if test $ret = 1; then
> +		if test $passwd_len -ge $user_len; then 
> +			return 0
> +		fi
> +	fi

If I understand the above code snippet correct,
then it does allow user='root' and password='root'
and does depend on further checks.

Please simply to source code into

 +	ret=`echo $passwd | grep -ci $user`
 +	if test $ret = 1; then
 +		return 0
 +	fi

It does better match 
 +	# password shouldn't contain login account.
and it will prevent user='R00tme' with pasword='R00tme'


 <snip/>
> --- debian/user-setup-udeb.templates	(revision 47268)
> +++ debian/user-setup-udeb.templates	(working copy)
> @@ -110,6 +117,12 @@
>   You entered an empty password, which is not allowed.
>   Please choose a non-empty password.
>  
> +Template: user-setup/chkpasswdstrength-bad
> +Type: error
> +_Description: Weak password
> + choose another password that does contain numbers, upper and lower 
> + case characters.
> +

Nitpicking:

Start 'choose' with a capital.



Thanks for the patch
Some one who should find out,
if he could had apply the patch into versioning system.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #59 received at 364526@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: Masami Ichikawa <masami256@gmail.com>
Cc: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sun, 17 Jun 2007 20:02:28 +0200
[Message part 1 (text/plain, inline)]
> +Template: passwd/chkpasswdstrength
> +Type: boolean
> +Default: true
> +_Description: : Reject weak passwords?

Should be:

_Description: Reject weak passwords?


> + Please choose whether you want the entered passwords strength to be
> + checked and passwords found as 'weak' to be rejected. 
> +

> +Template: user-setup/chkpasswdstrength-bad
> +Type: error
> +_Description: Weak password
> + choose another password that does contain numbers, upper and lower 
> + case characters.
> +

s/choose/Please choose

I suggest removing 'another':

 Please choose a password that....

>  Template: passwd/shadow
>  Type: boolean
>  Default: true
> Index: user-setup-ask
> ===================================================================
> --- user-setup-ask	(revision 47268)
> +++ user-setup-ask	(working copy)
> @@ -37,6 +37,8 @@

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Masami Ichikawa <masami256@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #64 received at 364526@bugs.debian.org (full text, mbox):

From: Masami Ichikawa <masami256@gmail.com>
To: Geert Stappers <stappers@stappers.nl>
Cc: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Mon, 18 Jun 2007 07:42:04 +0900
on 06/18/07 01:04, Geert Stappers wrote:
> Op 17-06-2007 om 21:21 schreef Masami Ichikawa:
>  <snip/>
>> +	# password shouldn't contain login account.
>> +	ret=`echo $passwd | grep -ci $user`
>> +	if test $ret = 1; then
>> +		if test $passwd_len -ge $user_len; then 
>> +			return 0
>> +		fi
>> +	fi
> 
> If I understand the above code snippet correct,
> then it does allow user='root' and password='root'
> and does depend on further checks.
> 
Yes. That's right.

> Please simply to source code into
> 
>  +	ret=`echo $passwd | grep -ci $user`
>  +	if test $ret = 1; then
>  +		return 0
>  +	fi
> 
> It does better match 
>  +	# password shouldn't contain login account.
> and it will prevent user='R00tme' with pasword='R00tme'
> 
> 
when I tested like that user="foo" password="food123", I thought this case may be allowed.
because, this case grep returns 1.
so, I added "if test $passwd_len -ge $user_len; then" line.
I couldn't find another solution:-(

>  <snip/>
>> --- debian/user-setup-udeb.templates	(revision 47268)
>> +++ debian/user-setup-udeb.templates	(working copy)
>> @@ -110,6 +117,12 @@
>>   You entered an empty password, which is not allowed.
>>   Please choose a non-empty password.
>>  
>> +Template: user-setup/chkpasswdstrength-bad
>> +Type: error
>> +_Description: Weak password
>> + choose another password that does contain numbers, upper and lower 
>> + case characters.
>> +
> 
> Nitpicking:
> 
> Start 'choose' with a capital.
> 
>
Yes.

> 
> Thanks for the patch
> Some one who should find out,
> if he could had apply the patch into versioning system.
> 
> 

Cheers,
-- 
/*
 * Masami Ichikawa
 * mailto: hangar-18@mub.biglobe.ne.jp
 *       : masami256@gmail.com
 */



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Masami Ichikawa <masami256@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #69 received at 364526@bugs.debian.org (full text, mbox):

From: Masami Ichikawa <masami256@gmail.com>
To: Christian Perrier <bubulle@debian.org>
Cc: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Mon, 18 Jun 2007 07:43:25 +0900
on 06/18/07 03:02, Christian Perrier wrote:
>> +Template: passwd/chkpasswdstrength
>> +Type: boolean
>> +Default: true
>> +_Description: : Reject weak passwords?
> 
> Should be:
> 
> _Description: Reject weak passwords?
> 

Yes. should be.

> 
>> + Please choose whether you want the entered passwords strength to be
>> + checked and passwords found as 'weak' to be rejected. 
>> +
> 
>> +Template: user-setup/chkpasswdstrength-bad
>> +Type: error
>> +_Description: Weak password
>> + choose another password that does contain numbers, upper and lower 
>> + case characters.
>> +
> 
> s/choose/Please choose
> 
> I suggest removing 'another':
> 
>  Please choose a password that....
> 

Yes.

>>  Template: passwd/shadow
>>  Type: boolean
>>  Default: true
>> Index: user-setup-ask
>> ===================================================================
>> --- user-setup-ask	(revision 47268)
>> +++ user-setup-ask	(working copy)
>> @@ -37,6 +37,8 @@
> 

Cheers,
-- 
/*
 * Masami Ichikawa
 * mailto: hangar-18@mub.biglobe.ne.jp
 *       : masami256@gmail.com
 */



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #74 received at 364526@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Masami Ichikawa <masami256@gmail.com>
Cc: 364526@bugs.debian.org, debian-boot@lists.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Mon, 18 Jun 2007 09:30:48 +0100
[Message part 1 (text/plain, inline)]
Masami Ichikawa wrote:
> +Template: passwd/chkpasswdstrength
> +Type: boolean
> +Default: true
> +_Description: : Reject weak passwords?
> + Please choose whether you want the entered passwords strength to be
> + checked and passwords found as 'weak' to be rejected. 

I'd suggest turning this around. Don't first ask whether to check
passwords. Just check them. If the password is weak, prompt y/n whether
to accept the weak password. The benefits are:

a. It's easier to decide whether a weak password should be accepted once
   you've actually entered it. It could even indicate what's wrong with
   the password in its message.
b. This avoids the extra question "most" of the time, assuming people
   often enter a strong password.
c. This should be reasonably non-annoying for testers, who tend to use
   weak passwords.

Also, it seems to me that it would be much better to use the existing
cracklib stuff for password strength checking rather than
re-implementing that. If it could be made into a small enough udeb..

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Forcibly Merged 364526 409038. Request was from Otavio Salvador <otavio@debian.org> to control@bugs.debian.org. (Mon, 18 Jun 2007 19:07:51 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Masami Ichikawa <masami256@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #81 received at 364526@bugs.debian.org (full text, mbox):

From: Masami Ichikawa <masami256@gmail.com>
To: Christian Perrier <bubulle@debian.org>
Cc: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Tue, 19 Jun 2007 21:58:24 +0900
[Message part 1 (text/plain, inline)]
Hello.

on 06/18/07 03:02, Christian Perrier wrote:
>> +Template: passwd/chkpasswdstrength
>> +Type: boolean
>> +Default: true
>> +_Description: : Reject weak passwords?
> 
> Should be:
> 
> _Description: Reject weak passwords?
> 
> 
>> + Please choose whether you want the entered passwords strength to be
>> + checked and passwords found as 'weak' to be rejected. 
>> +
> 
>> +Template: user-setup/chkpasswdstrength-bad
>> +Type: error
>> +_Description: Weak password
>> + choose another password that does contain numbers, upper and lower 
>> + case characters.
>> +
> 
> s/choose/Please choose
> 
> I suggest removing 'another':
> 
>  Please choose a password that....
> 
>>  Template: passwd/shadow
>>  Type: boolean
>>  Default: true
>> Index: user-setup-ask
>> ===================================================================
>> --- user-setup-ask	(revision 47268)
>> +++ user-setup-ask	(working copy)
>> @@ -37,6 +37,8 @@
> 

I fixed messages in user-setup-udeb.templates.
maybe this patch is final version. also, joey's suggestion is interesting to me.
so, I'd try to implement his suggestion.

Cheers,
-- 
/*
 * Masami Ichikawa
 * mailto: hangar-18@mub.biglobe.ne.jp
 *       : masami256@gmail.com
 */
[chkpasswdstrength.patch (text/x-patch, inline)]
Index: functions.sh
===================================================================
--- functions.sh	(revision 47541)
+++ functions.sh	(working copy)
@@ -39,3 +39,53 @@
 
 	return 1
 }
+
+# Return a true value if password seems to be strong enough.
+chkpasswdstrength ()
+{
+	user=$1
+	passwd=$2
+
+	user_len=`echo $user | wc -c`
+	passwd_len=`echo $passwd | wc -c`
+
+	# password length should be bigger than four.
+	if test $passwd_len -lt 5; then
+		return 0
+	fi
+
+	# password shouldn't be a login account.
+	if test "$user" = "$passwd"; then
+		return 0
+	fi
+
+	# password shouldn't contain login account.
+	ret=`echo $passwd | grep -ci $user`
+	if test $ret = 1; then
+		if test $passwd_len -ge $user_len; then 
+			return 0
+		fi
+	fi
+
+	# The password should be this structure.
+	# 1) contain lower char and upper char
+	# 2) contain lower char and digit
+	# 3) contain upper char and digit
+	# 4) contain lower char and upper char and digit
+
+	ret=`echo $passwd | grep -c [a-z]`
+	num=$ret
+
+	ret=`echo $passwd | grep -c [A-Z]`
+	num=$(($num+$ret))
+
+	ret=`echo $passwd | grep -c [0-9]`
+	num=$(($num+$ret))
+
+	if test $num -lt 2; then
+		return 0
+	fi
+
+	return 1
+
+}
Index: debian/user-setup-udeb.templates
===================================================================
--- debian/user-setup-udeb.templates	(revision 47541)
+++ debian/user-setup-udeb.templates	(working copy)
@@ -43,6 +43,13 @@
  Please enter the same root password again to verify that you have typed it
  correctly.
 
+Template: passwd/chkpasswdstrength
+Type: boolean
+Default: true
+_Description: Reject weak passwords?
+ Please choose whether you want the entered passwords strength to be
+ checked and passwords found as 'weak' to be rejected. 
+
 Template: passwd/make-user
 Type: boolean
 Default: true
@@ -110,6 +117,12 @@
  You entered an empty password, which is not allowed.
  Please choose a non-empty password.
 
+Template: user-setup/chkpasswdstrength-bad
+Type: error
+_Description: Weak password
+ Please choose a password that does contain numbers, upper and lower 
+ case characters.
+
 Template: passwd/shadow
 Type: boolean
 Default: true
Index: user-setup-ask
===================================================================
--- user-setup-ask	(revision 47541)
+++ user-setup-ask	(working copy)
@@ -37,6 +37,8 @@
 		db_input low passwd/shadow || true
 		# Ask if root should be allowed to login.
 		db_input medium passwd/root-login || true
+		# Ask if user wants to check a password
+		db_input low passwd/chkpasswdstrength || true
 	;;
 	1)
 		db_get passwd/root-login
@@ -63,6 +65,9 @@
 			# root password will be locked
 			db_set passwd/root-password-again ""
 		elif ! root_password; then
+		        db_get passwd/chkpasswdstrength || true
+			PW_CHK="$RET"
+
 			# First check whether the root password was preseeded crypted
 			db_get passwd/root-password-crypted || true
 			if ! test "$RET" ; then
@@ -78,6 +83,16 @@
 					STATE=0
 					continue
 				fi
+				if [ "$PW_CHK" = true ]; then
+					if `chkpasswdstrength "root" "$ROOT_PW"`; then
+						db_fset user-setup/chkpasswdstrength-bad seen false
+						db_input critical user-setup/chkpasswdstrength-bad
+						db_fset passwd/root-password seen false
+						db_fset passwd/root-password-again seen false
+						STATE=0
+						continue
+					fi		
+				fi
 				db_get passwd/root-password-again
 				if [ "$ROOT_PW" != "$RET" ]; then
 					db_fset user-setup/password-mismatch seen false
@@ -192,6 +207,19 @@
 					STATE=6
 					continue
 				fi
+				if [ "$PW_CHK" = true ]; then
+					if `chkpasswdstrength "$USER" "$USER_PW"`; then
+						db_set passwd/user-password ""
+						db_set passwd/user-password-again ""
+						db_fset user-setup/chkpasswdstrength-bad seen false
+						db_input critical user-setup/chkpasswdstrength-bad
+						db_fset passwd/user-password seen false
+						db_fset passwd/user-password-again seen false
+						STATE=6
+						continue
+					fi		
+				fi
+
 			fi
 		fi
 	;;

Message sent on to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug#364526. Full text and rfc822 format available.

Message #84 received at 364526-submitter@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: 364526-submitter@bugs.debian.org, debian-boot@lists.debian.org, Joey Hess <joeyh@debian.org>, Masami Ichikawa <masami256@gmail.com>
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Thu, 21 Jun 2007 17:36:17 +0200
[Message part 1 (text/plain, inline)]
(Please send mails to -submitter so I can actually see them, I'm the
originator of this bug but I'm not subscribed to debian-boot)

Joey, the cracklib2 library, IIRC, does not check for password robustness
(i.e. size, use of characters, etc.) but, actually, tries to crack it using
its dictionary. This prevents people from entering, for example 'debian' or
'debian123', as a password. Including it in d-i (as I suggested) would mean
providing a dictionary for cracklib's (in installed systems it is available
at /var/cache/cracklib/ and generated from from the local dictionaries being
installed) which could be rather large: 820K in my local filesystem based on 
the 1,7M dictionary files I have installed (including spanish and english
words)

The libpam-passwdqc module, however, when stacked in /etc/pam.d/passwd, will
do both the cracklib2 checks *and* checks for password robustness (minimum
length, character sets in the password, etc).

If we want to go that way I suggest we do what Owl's installer does [1]:

- have PAM be configured to use libpam-passwdqc per default in any Debian
  system

- have d-i install some common dictionaries, libpam-passwdqc and cracklib2 at the target system
  (that way Cracklib's dictionary will be generated there)

- chroot to it and use PAM to set the root/user password (see
  pam_root_password [2])

- let PAM tell us if the password is valid or not.

This could be done *in*addition* to some simple checks done in the installer
itself, as I suggested initially and Masami Ichikawa implemented, as long as
the checks done in d-i are consistent with libpam-passwdqc's configuration.

This has the advantage that password checking would be a standard setup in
any Debian system, regardless of whether the password is set on d-i or it's
changed later. And would actually apply to all users (not only those
configured through the d-i).

It has the disadvantadge that is a major change that implies changes in other
packages (PAM's default configuration) and significant coding (although this
could be simplified if reusing Owl's code [3], which is already available)

Another (different way) that could be implemented as an alternative 
would be to:

- have d-i provide the cracklib-runtime + libcracklib2 + a proper (pregenerated)
  dictionary (note the size increase, as described above)

- do some basic password checks within d-i (with the patch provided in this
  bug)

- use the 'crack_testlib' binary to run a test on the password and let the
  user know if the password is based on a dictionary password.

That would be easier to code and has the advantage that no other changes are
needed (to PAM) but it has the disadvantages that the d-i size increases
(which is an issue currently) and is also duplicating code (as the password
checking code is already present in libpam-passwdqc, which we are not using
in this case)

Hope that helps clarify stuff,


Javier


[1]
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/owl-setup/setup/root_passwd_settle.cpp?rev=1.3;content-type=text%2Fx-cvsweb-markup

[2]
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/owl-setup/setup/pam_root_passwd.cpp?rev=1.2;content-type=text%2Fx-cvsweb-markup

[3] The .spec file claims It's BSD-licensed, but it would be nice to ask
Solar Designer to add proper licenses to the headers of all the files in
there, to avoid any licensing confusion with it.
[signature.asc (application/pgp-signature, inline)]

Information stored:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Otavio Salvador <otavio@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #89 received at 364526-quiet@bugs.debian.org (full text, mbox):

From: Otavio Salvador <otavio@debian.org>
To: 364526-submitter@bugs.debian.org, 364526-quiet@bugs.debian.org
Cc: Joey Hess <joeyh@debian.org>, Masami Ichikawa <masami256@gmail.com>
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Thu, 21 Jun 2007 12:59:44 -0300
While I agree that the first proposal needs more work it also looks
much better to be ... we can add it in a way we can disable it if need
(during install, using preseeding) and then allow for it usage or not.

Second proposal looks simpler but I dislike the idea of first user
being check only.

-- 
        O T A V I O    S A L V A D O R
---------------------------------------------
 E-mail: otavio@debian.org      UIN: 5906116
 GNU/Linux User: 239058     GPG ID: 49A5F855
 Home Page: http://otavio.ossystems.com.br
---------------------------------------------
"Microsoft sells you Windows ... Linux gives
 you the whole house."



Message sent on to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug#364526. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to stappers@stappers.nl (Geert Stappers):
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #97 received at 364526@bugs.debian.org (full text, mbox):

From: stappers@stappers.nl (Geert Stappers)
To: Masami Ichikawa <masami256@gmail.com>, 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sat, 23 Jun 2007 16:25:14 +0200
Op 19-06-2007 om 21:58 schreef Masami Ichikawa:
 <snip/>
> +
> +	# password shouldn't be a login account.
> +	if test "$user" = "$passwd"; then
> +		return 0
> +	fi
> +
> +	# password shouldn't contain login account.
> +	ret=`echo $passwd | grep -ci $user`
> +	if test $ret = 1; then
> +		if test $passwd_len -ge $user_len; then 
> +			return 0
> +		fi
> +	fi

Those three tests can be reduced to one single test:

 +	# password shouldn't contain login account.
 +	ret=`echo $passwd | grep -ci $user`
 +	if test $ret = 1; then
 +		return 0
 +	fi


Cheers
Geert Stappers




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Steven Demetrius <steven.demetrius@fiwwi.com>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #102 received at 364526@bugs.debian.org (full text, mbox):

From: Steven Demetrius <steven.demetrius@fiwwi.com>
To: 364526@bugs.debian.org
Subject: debian-installer: Please implement a password-checking module
Date: Sun, 28 Oct 2007 12:26:38 +0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All:

I do realize the importance of good/strong password and the desire of
guiding installers to used them. I also realize the need for ease of use
especially for new users.

If I'm new to Debian installer I don't care about good/strong passwords
as I know I will probably muck it up or want to redo the install several
times. So setting the root password to "root" is very convenient and not
a security risk.

Many new users to Debian complain how difficult and geeky it is to use.
Some of them even go back to MS. Opensource should be about not only
choice but also simplicity.

If I want to run a kiosk that only displays pictures of the building its
in using a stand alone machine locked in a box, I don't care about
security. It would really piss me off if I was force to use a long
complex password as this would be a waste of my time.

Let the user/installer chose whether he/she wants to use "root" as the
root password or some 256 char long password with whatever set of
characters without bugging them. The guide is there and guess what...
the user/installer can read! If they chose to ignore the guidelines then
that is there choice.



- --
Thank you.
*********************************************************************
                     Steven Demetriuson't
- ---------------------------------------------------------------------
                   Tel: (855 12) 810 350
            E-mail: steven.demetrius@fiwwi.com
*********************************************************************
                  Steven Demetrius 2007
*********************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHJB2NE5pZTZCwxmQRAqYXAJ9vU6bz+eTYPBaNDxqX9mWmQAf+KQCfXMPQ
x5etIi4FJO8yHJOvROGVGNY=
=0cSU
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to 364526@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #107 received at 364526@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: Steven Demetrius <steven.demetrius@fiwwi.com>, 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sun, 28 Oct 2007 10:00:11 +0100
[Message part 1 (text/plain, inline)]
Quoting Steven Demetrius (steven.demetrius@fiwwi.com):

> Many new users to Debian complain how difficult and geeky it is to use.

This is anything but a legend now. Sorry, but I (and probably many
other D-I developers) feel sick when reading this as a full default
Debian install is as painless as any other Linux system install. I
suspect many Linux so-called gurus (or pseudo ones) to be responsible
for this and continue to spread out such legend.


Anyway, I think you'r emissing the point of the bug report.

Being able to use weak passwords is not something we plan to remove
the possibility for. The point is only adding a check and warn users
when they use weak passwords...giving them the opportunity to either
go on, knowing what they're doing) or change their mind and use a
stronger password.

Even in the closed-source software world, this is something that is
done more and more (just look at the password policy for many
corporate environments based on Microsoft products), so I don't think
this is something that will scare users.

Again, this is not about strictly enforcing strong passwords.

Anyawy, all this is science-fiction right now as nobody cared enough
to implement a good password quality test in user-setup.


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Steven Demetrius <steven.demetrius@fiwwi.com>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #112 received at 364526@bugs.debian.org (full text, mbox):

From: Steven Demetrius <steven.demetrius@fiwwi.com>
To: 364526@bugs.debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sun, 28 Oct 2007 17:49:58 +0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christan:

Thanks for your response.
As you've quoted my comment was aimed a Debian in general. I have also
previously commended the d-i team on its improvement of the d-i in etch.
Much easier to use. In fact its now easier to use than MS's installer.
The GUI installer is very well done. Good job.

As long as the check is just a check and a warning then I have no
problem with it.

Unfortunately this was not the case with the local and time zone
settings (bug 448328). Just wanted to make sure the same thing didn't
happen here.

Again I think the d-i team has done an excellent job in improving the
d-i. Keep up the good work.

PS. I have an idea for doing Debian training. Can you point me in the
right direction. I don't want to go into details here as this is not the
right place for it. You can email me directly.


Thanks.


Christian Perrier wrote:
> Quoting Steven Demetrius (steven.demetrius@fiwwi.com):
> 
>> Many new users to Debian complain how difficult and geeky it is to use.
> 
> This is anything but a legend now. Sorry, but I (and probably many
> other D-I developers) feel sick when reading this as a full default
> Debian install is as painless as any other Linux system install. I
> suspect many Linux so-called gurus (or pseudo ones) to be responsible
> for this and continue to spread out such legend.
> 
> 
> Anyway, I think you'r emissing the point of the bug report.
> 
> Being able to use weak passwords is not something we plan to remove
> the possibility for. The point is only adding a check and warn users
> when they use weak passwords...giving them the opportunity to either
> go on, knowing what they're doing) or change their mind and use a
> stronger password.
> 
> Even in the closed-source software world, this is something that is
> done more and more (just look at the password policy for many
> corporate environments based on Microsoft products), so I don't think
> this is something that will scare users.
> 
> Again, this is not about strictly enforcing strong passwords.
> 
> Anyawy, all this is science-fiction right now as nobody cared enough
> to implement a good password quality test in user-setup.
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHJGlVE5pZTZCwxmQRAjNyAJ42rImDsJl8p40v42YrG0cwFLdSfgCfX5bG
bSTZbpm30BrbD9ymePgRkdk=
=Z+bV
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#364526; Package user-setup. Full text and rfc822 format available.

Acknowledgement sent to Geert Stappers <stappers@stappers.nl>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #117 received at 364526@bugs.debian.org (full text, mbox):

From: Geert Stappers <stappers@stappers.nl>
To: 364526@bugs.debian.org, control@debian.org
Subject: Re: Bug#364526: debian-installer: Please implement a password-checking module
Date: Sun, 28 Oct 2007 22:24:02 +0100
# Anyawy, all this is science-fiction right now as nobody cared enough
# to implement a good password quality test in user-setup.

tags 364526 +patch




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:49:53 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.