From ea0b51c7e8f8943cbdd16fb44bf2cda9c555d464 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Mon, 15 Sep 2008 14:25:48 +0200
Subject: [PATCH] Add password checking via a python wrapper

---
 debian/changelog       |  6 ++++
 debian/control         |  3 +-
 debian/rules           |  5 ++-
 password-qualify-check | 72 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 84 insertions(+), 2 deletions(-)
 create mode 100755 password-qualify-check

diff --git a/debian/changelog b/debian/changelog
index 513a5d6..e43a4dc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+userdir-ldap-cgi (0.3.18) unstable; urgency=low
+
+  * Add password checking via a python wrapper.
+
+ -- Peter Palfrader <weasel@debian.org>  Mon, 15 Sep 2008 14:25:44 +0200
+
 userdir-ldap-cgi (0.3.17) unstable; urgency=low
 
   * Comment out uuid - nobody will get it's just an identifier.
diff --git a/debian/control b/debian/control
index f555fae..df2aa2b 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,8 @@ Uploaders: Ryan Murray <rmurray@debian.org>, Joey Schulze <joey@debian.org>
 
 Package: userdir-ldap-cgi
 Architecture: all
-Depends: userdir-ldap, perl5, libnet-ldap-perl, libcrypt-blowfish-perl, gnupg (>= 1.0.3), libdate-manip-perl, liburi-perl, libio-socket-ssl-perl, libossp-uuid-perl, libdigest-hmac-perl
+Depends: userdir-ldap, perl5, libnet-ldap-perl, libcrypt-blowfish-perl, gnupg (>= 1.0.3), libdate-manip-perl, liburi-perl, libio-socket-ssl-perl, libossp-uuid-perl, libdigest-hmac-perl, python, python-crack, cracklib-runtime
+Recommends: wamerican, wamerican-large, wamerican-small, wbritish, wbritish-large, wbritish-small, wbulgarian, wcanadian, wcanadian-large, wcanadian-small, wcatalan, wdanish, wdutch, wfaroese, wfinnish, wfrench, wgalician-minimos, witalian, wngerman, wnorwegian, wogerman, wpolish, wspanish, wswedish, wswiss, wukrainian
 Replaces: userdir-ldap
 Description: CGI programs for the db.debian.org
  These programs are run on http://db.debian.org/ to simplify the
diff --git a/debian/rules b/debian/rules
index 456a393..dfe5385 100755
--- a/debian/rules
+++ b/debian/rules
@@ -19,7 +19,8 @@ instdirs = \
 	var/www/userdir-ldap \
 	var/cache/userdir-ldap/web-cookies \
 	var/cache/userdir-ldap/hosts \
-	usr/share/doc/$(package)
+	usr/share/doc/$(package) \
+	usr/lib/userdir-ldap-cgi
 
 binary-indep: build
 	dh_testdir
@@ -33,6 +34,8 @@ binary-indep: build
 	chown www-data:www-data $(i)/var/cache/userdir-ldap/web-cookies/
 	chmod u=rwx,g=,o= $(i)/var/cache/userdir-ldap/web-cookies/
 
+	install -m 755 password-qualify-check $(i)/usr/lib/userdir-ldap-cgi
+
 	install -m 644 apache-config.txt $(i)/usr/share/doc/$(package)
 
 	dh_installchangelogs
diff --git a/password-qualify-check b/password-qualify-check
new file mode 100755
index 0000000..45fd18d
--- /dev/null
+++ b/password-qualify-check
@@ -0,0 +1,72 @@
+#!/usr/bin/python
+
+# check password quality using cracklib given a new password, optionally the
+# old password, and a list of ldap/gecos words via stdin, each on a line by
+# itself (send an empty line if you want to skip the old password check)
+
+# Copyright (c) 2008 Peter Palfrader
+
+import crack, sys, tempfile, os
+
+def cleanup(dir):
+  if not dir.startswith('/tmp/pwcheck-'):
+    raise ValueError, 'cleanup got a weird dir to remove: '+dir
+  for f in 'dict.hwm dict.pwd dict.pwi wordlist wordlist-cleaned'.split(' '):
+    p = dir+'/'+f
+    if os.path.exists(p):
+      os.remove(p)
+  if os.path.exists(dir):
+    os.rmdir(dir)
+
+
+
+newpass = sys.stdin.readline().strip()
+oldpass = sys.stdin.readline().strip()
+ldapwords = map( lambda x: x.strip(), sys.stdin.readlines())
+
+if oldpass == "":
+  oldpass = None
+
+
+crack.min_length = 11
+
+# check against the default dictionary
+try:
+  crack.VeryFascistCheck(newpass, oldpass)
+except ValueError, e:
+  print e
+  sys.exit(1)
+
+# and against a dictionary created from the ldap info on this user
+if len(ldapwords) > 0:
+  tmpdir = tempfile.mkdtemp('', 'pwcheck-')
+  F = open(tmpdir+'/wordlist', "w")
+  for w in ldapwords:
+    F.write(w+"\n");
+  for w1 in ldapwords:
+    for w2 in ldapwords:
+      F.write(w1+w2+"\n");
+      F.write(w1[0]+w2+"\n");
+  F.close()
+
+  r = os.system("/usr/sbin/crack_mkdict "+tmpdir+"/wordlist > "+tmpdir+"/wordlist-cleaned")
+  if r != 0:
+    print "crack_mkdict returned non-zero exit status %d."%(r)
+    cleanup(tmpdir)
+    sys.exit(1)
+  r = os.system("/usr/sbin/crack_packer "+tmpdir+"/dict < "+tmpdir+"/wordlist-cleaned > /dev/null")
+  if r != 0:
+    print "crack_packer returned non-zero exit status %d."%(r)
+    cleanup(tmpdir)
+    sys.exit(1)
+
+  try:
+    crack.VeryFascistCheck(newpass, None, tmpdir+"/dict")
+  except ValueError, e:
+    print "ldap data based check: "+str(e)
+    cleanup(tmpdir)
+    sys.exit(1)
+
+  cleanup(tmpdir)
+
+sys.exit(0)
-- 
2.20.1