diff mbox

[v2,1/2] cracklib: New package

Message ID 20170405124234.7035-1-stefan.sorensen@spectralink.com
State Superseded
Headers show

Commit Message

Sørensen, Stefan April 5, 2017, 12:42 p.m. UTC 
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---

Changes since v1:

 * Update DEVELOPERS file
 * Use SPDX license codes
 * Use the tools from host-cracklib for generating dictionary files

 DEVELOPERS                     |  1 +
 package/Config.in              |  1 +
 package/cracklib/Config.in     | 28 ++++++++++++++++++++++++++++
 package/cracklib/cracklib.hash |  3 +++
 package/cracklib/cracklib.mk   | 41 +++++++++++++++++++++++++++++++++++++++++
 5 files changed, 74 insertions(+)
 create mode 100644 package/cracklib/Config.in
 create mode 100644 package/cracklib/cracklib.hash
 create mode 100644 package/cracklib/cracklib.mk

Comments

Danomi Manchego April 5, 2017, 2:31 p.m. UTC | #1 
Stefan,

On Wed, Apr 5, 2017 at 8:42 AM, Stefan Sørensen
<stefan.sorensen@spectralink.com> wrote:
> Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
> ---
>
> Changes since v1:
>
>  * Update DEVELOPERS file
>  * Use SPDX license codes
>  * Use the tools from host-cracklib for generating dictionary files
>
>  DEVELOPERS                     |  1 +
>  package/Config.in              |  1 +
>  package/cracklib/Config.in     | 28 ++++++++++++++++++++++++++++
>  package/cracklib/cracklib.hash |  3 +++
>  package/cracklib/cracklib.mk   | 41 +++++++++++++++++++++++++++++++++++++++++
>  5 files changed, 74 insertions(+)
>  create mode 100644 package/cracklib/Config.in
>  create mode 100644 package/cracklib/cracklib.hash
>  create mode 100644 package/cracklib/cracklib.mk
>
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 37c610e..c31b410 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -1467,6 +1467,7 @@ F:        package/proxychains-ng/
>  F:     package/yasm/
>
>  N:     Stefan Sørensen <stefan.sorensen@spectralink.com>
> +F:     package/cracklib/
>  F:     package/libscrypt/
>
>  N:     Stephan Hoffmann <sho@relinux.de>
> diff --git a/package/Config.in b/package/Config.in
> index 71bd44a..66e9201 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1338,6 +1338,7 @@ menu "Other"
>         source "package/clapack/Config.in"
>         source "package/classpath/Config.in"
>         source "package/cppcms/Config.in"
> +       source "package/cracklib/Config.in"
>         source "package/dawgdic/Config.in"
>         source "package/ding-libs/Config.in"
>         source "package/eigen/Config.in"
> diff --git a/package/cracklib/Config.in b/package/cracklib/Config.in
> new file mode 100644
> index 0000000..cf428fd
> --- /dev/null
> +++ b/package/cracklib/Config.in
> @@ -0,0 +1,28 @@
> +config BR2_PACKAGE_CRACKLIB
> +       bool "cracklib"
> +       help
> +         CrackLib tests passwords to determine whether they match
> +         certain security-oriented characteristics, with the purpose
> +         of stopping users from choosing passwords that are easy to
> +         guess. CrackLib performs several tests on passwords: it
> +         tries to generate words from a username and gecos entry and
> +         checks those words against the password; it checks for
> +         simplistic patterns in passwords; and it checks for the
> +         password in a dictionary.
> +
> +         https://github.com/cracklib/cracklib
> +
> +if BR2_PACKAGE_CRACKLIB
> +
> +config BR2_PACKAGE_CRACKLIB_TOOLS
> +       bool "install tools"
> +       help
> +         Install cracklib command line tools for creating dicts.
> +
> +config BR2_PACKAGE_CRACKLIB_FULL_DICT
> +       bool "full dict"
> +       help
> +         Install the full cracklib dict (requires about 8Mb extra target
> +         space).
> +
> +endif
> diff --git a/package/cracklib/cracklib.hash b/package/cracklib/cracklib.hash
> new file mode 100644
> index 0000000..3038a47
> --- /dev/null
> +++ b/package/cracklib/cracklib.hash
> @@ -0,0 +1,3 @@
> +# Locally calculated
> +sha256 17cf76943de272fd579ed831a1fd85339b393f8d00bf9e0d17c91e972f583343        cracklib-2.9.6.tar.gz
> +sha256 27973245225eeb9d0090e97f3dea4197dec99b64d9d3a791a60298f3b021824c        cracklib-words-2.9.6.gz
> diff --git a/package/cracklib/cracklib.mk b/package/cracklib/cracklib.mk
> new file mode 100644
> index 0000000..4e816a8
> --- /dev/null
> +++ b/package/cracklib/cracklib.mk
> @@ -0,0 +1,41 @@
> +################################################################################
> +#
> +# cracklib
> +#
> +################################################################################
> +
> +CRACKLIB_VERSION = 2.9.6
> +CRACKLIB_SITE = https://github.com/cracklib/cracklib/releases/download/cracklib-$(CRACKLIB_VERSION)
> +CRACKLIB_LICENSE = LGPL-2.1
> +CRACKLIB_LICENSE_FILES = COPYING.LIB
> +CRACKLIB_INSTALL_STAGING = YES
> +CRACKLIB_DEPENDENCIES = host-cracklib
> +ifeq ($(BR2_PACKAGE_CRACKLIB_FULL_DICT),y)
> +CRACKLIB_EXTRA_DOWNLOADS = cracklib-words-$(CRACKLIB_VERSION).gz
> +endif

You could move the CRACKLIB_EXTRA_DOWNLOADS assignment down to the
if-BR2_PACKAGE_CRACKLIB_FULL_DICT below, where cracklib-words is
actually used, and eliminate an if.

> +
> +ifeq ($(BR2_PACKAGE_CRACKLIB_TOOLS),)
> +define CRACKLIB_REMOVE_TOOLS
> +       rm -f $(TARGET_DIR)/usr/sbin/*cracklib*
> +endef
> +
> +CRACKLIB_POST_INSTALL_TARGET_HOOKS += CRACKLIB_REMOVE_TOOLS
> +endif
> +
> +ifeq ($(BR2_PACKAGE_CRACKLIB_FULL_DICT),y)
> +CRACKLIB_DICT_SOURCE = $(DL_DIR)/cracklib-words-$(CRACKLIB_VERSION).gz
> +else
> +CRACKLIB_DICT_SOURCE = $(@D)/dicts/cracklib-small
> +endif
> +
> +define CRACKLIB_BUILD_DICT
> +       $(HOST_DIR)/usr/sbin/cracklib-format $(CRACKLIB_DICT_SOURCE) | \
> +               $(HOST_DIR)/usr/sbin/cracklib-packer \
> +               $(TARGET_DIR)/usr/share/cracklib/pw_dict

Maybe it would be wise to preface this line with a $(HOST_MAKE_ENV)
just in case cracklib-format or cracklib-packer make use of any other
cracklib tools?

No need to mkdir -p $(TARGET_DIR)/usr/share/cracklib first?

Regards,
Danomi -


> +       rm $(TARGET_DIR)/usr/share/cracklib/cracklib-small
> +endef
> +
> +CRACKLIB_POST_INSTALL_TARGET_HOOKS += CRACKLIB_BUILD_DICT
> +
> +$(eval $(autotools-package))
> +$(eval $(host-autotools-package))
> --
> 2.9.3
>
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
Thomas Petazzoni April 6, 2017, 3:19 p.m. UTC | #2 
Hello Stefan,

On Wed,  5 Apr 2017 14:42:33 +0200, Stefan Sørensen wrote:
> Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
> ---

I still see the same behavior:

/home/thomas/projets/buildroot/output/host/usr/sbin/cracklib-format /home/thomas/dl/cracklib-words-2.9.6.gz | /home/thomas/projets/buildroot/output/host/usr/sbin/cracklib-packer /home/thomas/projets/buildroot/output/target/usr/share/cracklib/pw_dict
skipping line: 1
4 3
rm /home/thomas/projets/buildroot/output/target/usr/share/cracklib/cracklib-small

And then in the target:

$ ls -l output/target/usr/share/cracklib/*
-rw-r--r-- 1 thomas thomas  360 avril  6 17:17 output/target/usr/share/cracklib/cracklib.magic
-rw-r--r-- 1 thomas thomas 1024 avril  6 17:17 output/target/usr/share/cracklib/pw_dict.hwm
-rw-r--r-- 1 thomas thomas   50 avril  6 17:17 output/target/usr/share/cracklib/pw_dict.pwd
-rw-r--r-- 1 thomas thomas   16 avril  6 17:17 output/target/usr/share/cracklib/pw_dict.pwi

i.e, the dictionary is empty (size is ridiculously small).

Thomas
Danomi Manchego April 6, 2017, 8:29 p.m. UTC | #3 
On Thu, Apr 6, 2017 at 11:19 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Hello Stefan,
>
> On Wed,  5 Apr 2017 14:42:33 +0200, Stefan Sørensen wrote:
>> Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
>> ---
>
> I still see the same behavior:
>
> /home/thomas/projets/buildroot/output/host/usr/sbin/cracklib-format /home/thomas/dl/cracklib-words-2.9.6.gz | /home/thomas/projets/buildroot/output/host/usr/sbin/cracklib-packer /home/thomas/projets/buildroot/output/target/usr/share/cracklib/pw_dict
> skipping line: 1
> 4 3
> rm /home/thomas/projets/buildroot/output/target/usr/share/cracklib/cracklib-small
>
> And then in the target:
>
> $ ls -l output/target/usr/share/cracklib/*
> -rw-r--r-- 1 thomas thomas  360 avril  6 17:17 output/target/usr/share/cracklib/cracklib.magic
> -rw-r--r-- 1 thomas thomas 1024 avril  6 17:17 output/target/usr/share/cracklib/pw_dict.hwm
> -rw-r--r-- 1 thomas thomas   50 avril  6 17:17 output/target/usr/share/cracklib/pw_dict.pwd
> -rw-r--r-- 1 thomas thomas   16 avril  6 17:17 output/target/usr/share/cracklib/pw_dict.pwi
>
> i.e, the dictionary is empty (size is ridiculously small).

FWIW - it looks to me like the grep call in cracklib-format is
concluding that cracklib-words is a binary file:

    buildroot/output/host/usr/sbin/cracklib-format cracklib-words-2.9.6.gz

    ]
    ]]
    binaryfilestandardinputmatches

If the grep is patched to have a -a to force the file to be treated as
text, then you get big numbers:

    skipping line: 1
    warning: input out of order: 'ghabcdefghabcdefghabcdefghabcd'
should not follow 'habcdefghabcdefghabcdefghabcde' (line 55362)
    warning: input out of order: 'fghabcdefghabcdefghabcdefghabc'
should not follow 'ghabcdefghabcdefghabcdefghabcd' (line 55363)
    warning: input out of order: 'efghabcdefghabcdefghabcdefghab'
should not follow 'fghabcdefghabcdefghabcdefghabc' (line 55364)
    warning: input out of order: 'fghabcdefghabcdefghabcdefghabc'
should not follow 'ghabcdefghabcdefghabcdefghabcd' (line 55366)
    warning: input out of order: 'abcdefghi' should not follow
'fghabcdefghabcdefghabcdefghabc' (line 55367)
    1911513 1911512

Or, if you use an older cracklib-words, like
http://downloads.sourceforge.net/cracklib/cracklib-words-20080507.gz,
then this problem is also avoided.

Danomi -



>
> Thomas
> --
> Thomas Petazzoni, CTO, Free Electrons
> Embedded Linux, Kernel and Android engineering
> http://free-electrons.com
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
diff mbox

Patch

diff --git a/DEVELOPERS b/DEVELOPERS
index 37c610e..c31b410 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1467,6 +1467,7 @@  F:	package/proxychains-ng/
 F:	package/yasm/
 
 N:	Stefan Sørensen <stefan.sorensen@spectralink.com>
+F:	package/cracklib/
 F:	package/libscrypt/
 
 N:	Stephan Hoffmann <sho@relinux.de>
diff --git a/package/Config.in b/package/Config.in
index 71bd44a..66e9201 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1338,6 +1338,7 @@  menu "Other"
 	source "package/clapack/Config.in"
 	source "package/classpath/Config.in"
 	source "package/cppcms/Config.in"
+	source "package/cracklib/Config.in"
 	source "package/dawgdic/Config.in"
 	source "package/ding-libs/Config.in"
 	source "package/eigen/Config.in"
diff --git a/package/cracklib/Config.in b/package/cracklib/Config.in
new file mode 100644
index 0000000..cf428fd
--- /dev/null
+++ b/package/cracklib/Config.in
@@ -0,0 +1,28 @@ 
+config BR2_PACKAGE_CRACKLIB
+	bool "cracklib"
+	help
+	  CrackLib tests passwords to determine whether they match
+	  certain security-oriented characteristics, with the purpose
+	  of stopping users from choosing passwords that are easy to
+	  guess. CrackLib performs several tests on passwords: it
+	  tries to generate words from a username and gecos entry and
+	  checks those words against the password; it checks for
+	  simplistic patterns in passwords; and it checks for the
+	  password in a dictionary.
+
+	  https://github.com/cracklib/cracklib
+
+if BR2_PACKAGE_CRACKLIB
+
+config BR2_PACKAGE_CRACKLIB_TOOLS
+	bool "install tools"
+	help
+	  Install cracklib command line tools for creating dicts.
+
+config BR2_PACKAGE_CRACKLIB_FULL_DICT
+	bool "full dict"
+	help
+	  Install the full cracklib dict (requires about 8Mb extra target
+	  space).
+
+endif
diff --git a/package/cracklib/cracklib.hash b/package/cracklib/cracklib.hash
new file mode 100644
index 0000000..3038a47
--- /dev/null
+++ b/package/cracklib/cracklib.hash
@@ -0,0 +1,3 @@ 
+# Locally calculated
+sha256	17cf76943de272fd579ed831a1fd85339b393f8d00bf9e0d17c91e972f583343	cracklib-2.9.6.tar.gz
+sha256	27973245225eeb9d0090e97f3dea4197dec99b64d9d3a791a60298f3b021824c	cracklib-words-2.9.6.gz
diff --git a/package/cracklib/cracklib.mk b/package/cracklib/cracklib.mk
new file mode 100644
index 0000000..4e816a8
--- /dev/null
+++ b/package/cracklib/cracklib.mk
@@ -0,0 +1,41 @@ 
+################################################################################
+#
+# cracklib
+#
+################################################################################
+
+CRACKLIB_VERSION = 2.9.6
+CRACKLIB_SITE = https://github.com/cracklib/cracklib/releases/download/cracklib-$(CRACKLIB_VERSION)
+CRACKLIB_LICENSE = LGPL-2.1
+CRACKLIB_LICENSE_FILES = COPYING.LIB
+CRACKLIB_INSTALL_STAGING = YES
+CRACKLIB_DEPENDENCIES = host-cracklib
+ifeq ($(BR2_PACKAGE_CRACKLIB_FULL_DICT),y)
+CRACKLIB_EXTRA_DOWNLOADS = cracklib-words-$(CRACKLIB_VERSION).gz
+endif
+
+ifeq ($(BR2_PACKAGE_CRACKLIB_TOOLS),)
+define CRACKLIB_REMOVE_TOOLS
+	rm -f $(TARGET_DIR)/usr/sbin/*cracklib*
+endef
+
+CRACKLIB_POST_INSTALL_TARGET_HOOKS += CRACKLIB_REMOVE_TOOLS
+endif
+
+ifeq ($(BR2_PACKAGE_CRACKLIB_FULL_DICT),y)
+CRACKLIB_DICT_SOURCE = $(DL_DIR)/cracklib-words-$(CRACKLIB_VERSION).gz
+else
+CRACKLIB_DICT_SOURCE = $(@D)/dicts/cracklib-small
+endif
+
+define CRACKLIB_BUILD_DICT
+	$(HOST_DIR)/usr/sbin/cracklib-format $(CRACKLIB_DICT_SOURCE) | \
+		$(HOST_DIR)/usr/sbin/cracklib-packer \
+		$(TARGET_DIR)/usr/share/cracklib/pw_dict
+	rm $(TARGET_DIR)/usr/share/cracklib/cracklib-small
+endef
+
+CRACKLIB_POST_INSTALL_TARGET_HOOKS += CRACKLIB_BUILD_DICT
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))