Package: debian-installer
Version: 20060304
Tags: wishlist
Currently, the debian-installer warns the user to use a "secure" password (6
chars long, with different case letters and punctuation characters) but does
not make an attempt to determine if the user is indeed using one.
Since there are many SSH brute-forcers in the Internet now constantly probing
systems I think it's best if the d-i could warn the users when he "sees" a
user or root password that he believes is insecure.
There are two ways to do this:
- the hard way, like Owl [1], which implements a password checking module
(pam_passwdqc, which was written by Solar Designer) and goes even
further by proposing random passwords if the user is unable to provide
one.
- the simple way, see attached code, which just tries to flags vulnerable
passwords
IMHO, the installer should:
1.- ask for a password
2.- set the password
3.- check the password
4.- if the password is not "secure" warn the user and give him the
option to change it (go back to 1) or to proceed
Maybe the check should just be done the first time the user enters a password
in order to avoid a frustating loop from the user POV of: "think a password",
"got it", "damn, the system refuses it", "try think another one", "got it",
"damn! he doesn't like this one either", etc.
If this idea has merit, please say so and I will try to integrate the
attached code with user-setup's user-setup-ask (maybe through a external
script instead of rewritting it in sh?)
Regards
Javier
[1] http://www.openwall.com/Owl/
#!/usr/bin/perl -w
#
# (c) 2006 Javier Fernandez-Sanguino <jfs@debian.org>
#
# Distributed under the terms of the GNU GPLv2
#
# Check a password in input and determine if it's a robust password
# returns a (simple) score based on the password.
#
# We expect:
# - at least 6 chars long
# - upper and lower case letters
# - at least a punctuation mark (not a letter)
#
# If score is 1 -> password is "secure" (it is as expected)
# If score is 0 -> password is not "secure" (it fails one condition)
#
# Caveats of this simple test:
# - It will not take into account keyboard combinations that
# are valid (think: !qaz2WSX)
# - It will yell if you have an all-non letters passwords
while ( $password = <STDIN> ) {
chomp($password);
my $score = 0;
my $length_score = 0;
my $case_score = 0;
my $punct_score = 0;
$length_score = 1 if ( length($password) >= 6 ) ;
$case_score = 1 if ( $password =~ /[A-Z]/ && $password =~ /[a-z]/ ) ;
# Remove all alpha and check length
my $non_alpha = $password;
$non_alpha =~ s/[A-Za-z]//g;
$punct_score = 1 if ( length($non_alpha) > 0 ) ;
$score = $length_score && $case_score && $punct_score;
print "Score is: $score\n";
}
exit 0;
Attachment:
signature.asc
Description: Digital signature