Thread

Commits

  1. doc: Update cracklib URL

  2. passwordcheck: Log cracklib diagnostics

  1. passwordcheck: Log cracklib diagnostics

    Peter Eisentraut <peter.eisentraut@2ndquadrant.com> — 2020-08-25T10:20:21Z

    A user tried to use the cracklib build-time option of the passwordcheck 
    module.  This failed, as it turned out because there was no dictionary 
    installed in the right place, but the error was not properly reported, 
    because the existing code just throws away the error message from 
    cracklib.  Attached is a patch that changes this by logging any error 
    message returned from the cracklib call.
    
    -- 
    Peter Eisentraut              http://www.2ndQuadrant.com/
    PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
    
  2. Re: passwordcheck: Log cracklib diagnostics

    Daniel Gustafsson <daniel@yesql.se> — 2020-08-25T11:48:39Z

    > On 25 Aug 2020, at 12:20, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
    > 
    > A user tried to use the cracklib build-time option of the passwordcheck module.  This failed, as it turned out because there was no dictionary installed in the right place, but the error was not properly reported, because the existing code just throws away the error message from cracklib.  Attached is a patch that changes this by logging any error message returned from the cracklib call.
    
    +1 on this, it's also in line with the example documentation from cracklib.
    The returned error is potentially a bit misleading now, as it might say claim
    that a strong password is easily cracked if the dictionary fails load.  Given
    that there is no way to distinguish between the class of returned errors it's
    hard to see how we can do better though.
    
    While poking at this, we might as well update the docs to point to the right
    URL for CrackLib as it moved from Sourceforge five years ago.  The attached
    diff fixes that.
    
    cheers ./daniel
    
    
  3. Re: passwordcheck: Log cracklib diagnostics

    Laurenz Albe <laurenz.albe@cybertec.at> — 2020-08-25T13:32:18Z

    On Tue, 2020-08-25 at 13:48 +0200, Daniel Gustafsson wrote:
    > > On 25 Aug 2020, at 12:20, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
    > > 
    > > A user tried to use the cracklib build-time option of the passwordcheck module.  This failed, as it turned out because there was no dictionary installed in the right place, but the error was not
    > > properly reported, because the existing code just throws away the error message from cracklib.  Attached is a patch that changes this by logging any error message returned from the cracklib call.
    > 
    > +1 on this, it's also in line with the example documentation from cracklib.
    > The returned error is potentially a bit misleading now, as it might say claim
    > that a strong password is easily cracked if the dictionary fails load.  Given
    > that there is no way to distinguish between the class of returned errors it's
    > hard to see how we can do better though.
    > 
    > While poking at this, we might as well update the docs to point to the right
    > URL for CrackLib as it moved from Sourceforge five years ago.  The attached
    > diff fixes that.
    
    +1 on both patches.
    
    Yours,
    Laurenz Albe
    
    
    
    
    
  4. Re: passwordcheck: Log cracklib diagnostics

    Peter Eisentraut <peter.eisentraut@2ndquadrant.com> — 2020-08-28T06:26:00Z

    On 2020-08-25 15:32, Laurenz Albe wrote:
    > On Tue, 2020-08-25 at 13:48 +0200, Daniel Gustafsson wrote:
    >>> On 25 Aug 2020, at 12:20, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
    >>>
    >>> A user tried to use the cracklib build-time option of the passwordcheck module.  This failed, as it turned out because there was no dictionary installed in the right place, but the error was not
    >>> properly reported, because the existing code just throws away the error message from cracklib.  Attached is a patch that changes this by logging any error message returned from the cracklib call.
    >>
    >> +1 on this, it's also in line with the example documentation from cracklib.
    >> The returned error is potentially a bit misleading now, as it might say claim
    >> that a strong password is easily cracked if the dictionary fails load.  Given
    >> that there is no way to distinguish between the class of returned errors it's
    >> hard to see how we can do better though.
    >>
    >> While poking at this, we might as well update the docs to point to the right
    >> URL for CrackLib as it moved from Sourceforge five years ago.  The attached
    >> diff fixes that.
    > 
    > +1 on both patches.
    
    Pushed both patches, thanks.
    
    -- 
    Peter Eisentraut              http://www.2ndQuadrant.com/
    PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services