Bug#364526: debian-installer: Please implement a password-checking module

[stappers@stappers.nl (Geert Stappers)]

The programm code in the patch seems reasonable.
a Thing I like to see changed,
is "password check" into "password strength check"


Op 16-06-2007 om 21:41 schreef Masami Ichikawa:
> Hello.
> 
> I wrote a password checking feature implement by shell script in function.sh.

 a password strength checking feature


<snip what="header of patch"/>

> +# Returns a true value if password seems to be a safety.

# Return a true value if password seems to be strong enough

> +chkpasswd ()
chkpasswdstrength()

> +{
> +    user=$1
> +    passwd=$2
> +
> +    user_len=`echo $user | wc -c`
> +    passwd_len=`echo $passwd | wc -c`
> +
> +    # password length should be bigger than four.
> +    if test $passwd_len -lt 5; then
> +	return 0
> +    fi
> +
> +    # password shouldn't be a login account.
> +    if test "$user" = "$passwd"; then
> +	return 0
> +    fi
> +
> +    # password shouldn't contain login account.
> +    ret=`echo $passwd | grep -ci $user`
> +    if test $ret = 1; then
> +	if test $passwd_len -ge $user_len; then 

???
That check doesn't look reasonable ...
	
> +	    return 0
> +	fi
> +    fi
> +
> +}
> Index: debian/user-setup-udeb.templates
> ===================================================================
> --- debian/user-setup-udeb.templates	(revision 47257)
> +++ debian/user-setup-udeb.templates	(working copy)
> @@ -43,6 +43,12 @@
>   Please enter the same root password again to verify that you have typed it
>   correctly.
>  
> +Template: passwd/chkpasswd
   Template: passwd/chkpasswdstrength

> +Type: boolean
> +Default: false
> +_Description: : Check a password?
   _Description: : Check password strength?

> + Safety password will make secure system.
    Stronger password will make a more secure system.

> +
>  Template: passwd/make-user
>  Type: boolean
>  Default: true
> @@ -110,6 +116,12 @@
>   You entered an empty password, which is not allowed.
>   Please choose a non-empty password.
>  
> +Template: user-setup/chkpasswd-bad
   Template: user-setup/chkpasswdstrength-bad

> +Type: error
> +_Description: The password does not seem safety.
  +_Description: The password does not seem strong.

> + The password you entered is not look safety. 

  + The password you entered is not a strong password. 


> + Please mix the capital letter, the small letter, and numbers with the password. 

  + Make a mix of capital letters, small letters AND numbers for the password. 

> +
>  Template: passwd/shadow
>  Type: boolean
>  Default: true
> Index: user-setup-ask
> ===================================================================
> --- user-setup-ask	(revision 47257)
> +++ user-setup-ask	(working copy)
> @@ -37,6 +37,8 @@
>  		db_input low passwd/shadow || true
>  		# Ask if root should be allowed to login.
>  		db_input medium passwd/root-login || true
> +		# Ask if user wants to check a password
  +		# Ask if user wants to check password strength

> +		db_input low passwd/chkpasswd || true
  +		db_input low passwd/chkpasswdstrength || true

>  	;;
>  	1)
>  		db_get passwd/root-login
> @@ -63,6 +65,9 @@
>  			# root password will be locked
>  			db_set passwd/root-password-again ""
>  		elif ! root_password; then
> +		        db_get passwd/chkpasswd || true
  +		db_input low passwd/chkpasswdstrength || true

> +			PW_CHK="$RET"
> +
>  			# First check whether the root password was preseeded crypted
>  			db_get passwd/root-password-crypted || true
>  			if ! test "$RET" ; then
> @@ -78,6 +83,16 @@
>  					STATE=0
>  					continue
>  				fi
> +				if [ "$PW_CHK" = true ]; then
> +				        if `chkpasswd "root" "$ROOT_PW"`; then
> +					    db_fset user-setup/chkpasswd-bad seen false
  +					    db_fset user-setup/chkpasswdstrength-bad seen false

> +					    db_input critical user-setup/chkpasswd-bad
  +					    db_input critical user-setup/chkpasswdstrength-bad

> +					    db_fset passwd/root-password seen false
> +					    db_fset passwd/root-password-again seen false
> +					    STATE=0
> +					    continue
> +					fi		
> +				fi
>  				db_get passwd/root-password-again
>  				if [ "$ROOT_PW" != "$RET" ]; then
>  					db_fset user-setup/password-mismatch seen false
> @@ -192,6 +207,19 @@
>  					STATE=6
>  					continue
>  				fi
> +				if [ "$PW_CHK" = true ]; then
> +				        if `chkpasswd "$USER" "$USER_PW"`; then
> +					    db_set passwd/user-password ""
> +					    db_set passwd/user-password-again ""
> +					    db_fset user-setup/chkpasswd-bad seen false
  +					    db_fset user-setup/chkpasswdstrength-bad seen false

> +					    db_input critical user-setup/chkpasswd-bad
  +					    db_input critical user-setup/chkpasswdstrength-bad

> +					    db_fset passwd/user-password seen false
> +					    db_fset passwd/user-password-again seen false
> +					    STATE=6
> +					    continue
> +					fi		
> +				fi
> +
>  			fi
>  		fi
>  	;;


Cheers
Geert Stappers
-- 
Here some Bruce Schneider quote like
 "security is not having long passwords"