From owner-freebsd-security  Thu Nov 21 17: 4: 7 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A9F7237B401
	for <security@FreeBSD.ORG>; Thu, 21 Nov 2002 17:04:05 -0800 (PST)
Received: from citi.umich.edu (citi.umich.edu [141.211.92.141])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 50B6043E9C
	for <security@FreeBSD.ORG>; Thu, 21 Nov 2002 17:04:05 -0800 (PST)
	(envelope-from provos@citi.umich.edu)
Received: by citi.umich.edu (Postfix, from userid 104123)
	id 84C12207D3; Thu, 21 Nov 2002 12:30:32 -0500 (EST)
Date: Thu, 21 Nov 2002 12:30:32 -0500
From: Niels Provos <provos@citi.umich.edu>
To: gkshenaut@ucdavis.edu
Cc: security@FreeBSD.ORG
Subject: Re: Strong Passwords
Message-ID: <20021121173032.GC9462@citi.citi.umich.edu>
References: <AFB399ACC132D511A0F700508B6FC8D201579702@mail.bankofamerica.com> <200211191955.gAJJt9Q77865@thistle.bogs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200211191955.gAJJt9Q77865@thistle.bogs.org>
User-Agent: Mutt/1.3.27i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Nov 19, 2002 at 11:55:08AM -0800, Greg Shenaut wrote:
> I think the most straightforward way would be to hack your copy of
> /usr/src/usr.bin/passwd/local_passwd.c to enforce whatever you
> want.  If you go in there, you will probably also notice that the
> "requirements" of minimum length and not-all-lower-case can be
I added some improvements to OpenBSD's passwd awhile ago.

It allows you to call an external password checking program that
determines if the password's quality is acceptable.

Its configured via login.conf:

     passwordcheck      path                    An external program that
                                                checks the quality of the
                                                password.  The password is
                                                passed to the program on
                                                stdin. An exit code of 0 indi-
                                                cates that the quality of the
                                                password is sufficient, an ex-
                                                it code of 1 signals that the
                                                password failed the check.

Might be worthwhile porting.  The code is very simple.

Niels.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message