FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Plugins and Code Hacks » Make Fudforum enforce good passwords using cracklib
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Make Fudforum enforce good passwords using cracklib [message #27289] Sat, 03 September 2005 09:25 Go to next message
Iadnah is currently offline  Iadnah   United States
Messages: 7
Registered: September 2005
Karma: 0
Junior Member
I had some issues on my forum with admins picking horrible passwords, so I set out to find a way to force them to use good ones. After some messing around I figured out how to add cracklib[1] functionality to FUDforum.

Requirements:
PHP 4.0+ compiled with the '--with-crack' option
Cracklib 2.7 or greater
A cracklib dictionary

Cracklib comes with most Linux distros, so I won't go over how to install it. You can make a dictionary from just about any text file, although cracklib comes with a pretty good one. It's typically stored in a directory like /usr/share/cracklib and will consist of three files, pw_dict.hwm, pw_dict.pwd, and pw_dict.pwi. They might be located in a different place or named something different on your computer.


Now, you need to open the file rpasswd.php.t in the FUDforum/src directory in a text editor, ideally one that doesn't use word wrap. From the command line I use nano -w.

Scroll through and find the section that looks like this:
        if (isset($_POST['btn_submit'], $_POST['passwd1'], $_POST['cpasswd']) && is_string($_POST['passwd1'])) {
                if (__fud_real_user__ != q_singleval("SELECT id FROM {SQL_TABLE_PREFIX}users WHERE login='".addslashes($usr->login)."' AND passwd='".md5((string)$_POST['cpasswd'])."'")) {
                        $rpasswd_error_msg = '{TEMPLATE: rpasswd_invalid_passwd}';
                } else if ($_POST['passwd1'] !== $_POST['passwd2']) {
                        $rpasswd_error_msg = '{TEMPLATE: rpasswd_passwd_nomatch}';
                } else if (strlen($_POST['passwd1']) < 6 ) {
                        $rpasswd_error_msg = '{TEMPLATE: rpasswd_passwd_length}';
                } else {
                        q("UPDATE {SQL_TABLE_PREFIX}users SET passwd='".md5($_POST['passwd1'])."' WHERE id=".__fud_real_user__);
                        logaction(__fud_real_user__, 'CHANGE_PASSWD', 0, get_ip());
                        exit('<html><script>window.close();</script></html>');
                }

                $rpasswd_error = '{TEMPLATE: rpasswd_error}';
        } else {
                $rpasswd_error = '';
        }



You need to change it so it looks like this (you might want to edit this to make it work how you want):
        if (isset($_POST['btn_submit'], $_POST['passwd1'], $_POST['cpasswd']) && is_string($_POST['passwd1'])) {
                if (__fud_real_user__ != q_singleval("SELECT id FROM fud26_users WHERE login='".addslashes($usr->login)."' AND passwd='".md5((string)$_POST['cpasswd'])."'")) {
                        $rpasswd_error_msg = 'Invalid Password';
                }
                else
                {
                        $temppass = $_POST['passwd1'];
                        $dictionary = crack_opendict('/usr/share/cracklib/pw_dict') or die('Unable to open CrackLib dictionary');
                        $check = crack_check($dictionary, "$temppass");
                        $diag = crack_getlastmessage();
                        if ($diag != "strong password")
                        {
                                $rpasswd_error_msg = "Password error: $diag";
                        }

                        else if ($_POST['passwd1'] !== $_POST['passwd2']) {
                                $rpasswd_error_msg = 'Passwords do not match';
                        } else if (strlen($_POST['passwd1']) < 6 ) {
                                $rpasswd_error_msg = 'Password must be at least 6 characters long';
                        } else {
                                q("UPDATE fud26_users SET passwd='".md5($_POST['passwd1'])."' WHERE id=".__fud_real_user__);
                                logaction(__fud_real_user__, 'CHANGE_PASSWD', 0, get_ip());
                                exit('<html><script>window.close();</script></html>');
                        }

                        $rpasswd_error = '<tr><td class="rpasswdE" colspan=2>'.$rpasswd_error_msg.'</td></tr>';

                }
                }
                else {
                        $rpasswd_error = '';
                }


That'll make it so that current users will need to pick good passwords when changing their passwords. The following will make it so new users must also pick good passwords.

Edit register.php.t and find this section:
                $_POST['reg_plaintext_passwd'] = trim($_POST['reg_plaintext_passwd']);

                if (strlen($_POST['reg_plaintext_passwd']) < 6) {
                        set_err('reg_plaintext_passwd', '{TEMPLATE: register_err_shortpasswd}');
                }

                $_POST['reg_plaintext_passwd_conf'] = trim($_POST['reg_plaintext_passwd_conf']);

                if ($_POST['reg_plaintext_passwd'] !== $_POST['reg_plaintext_passwd_conf']) {
                        set_err('reg_plaintext_passwd', '{TEMPLATE: register_err_passwdnomatch}');
                }


You'll need to change it to this (or whatever works for you):
                $_POST['reg_plaintext_passwd'] = trim($_POST['reg_plaintext_passwd']);

                if (strlen($_POST['reg_plaintext_passwd']) < 6) {
                        set_err('reg_plaintext_passwd', '{TEMPLATE: register_err_shortpasswd}');
                }

                $temppass = $_POST['reg_plaintext_passwd'];

                $dictionary = crack_opendict('/usr/share/cracklib/pw_dict') or die('Unable to open CrackLib dictionary');
                $check = crack_check($dictionary, "$temppass");
                $diag = crack_getlastmessage();

                if ($diag != "strong password")
                {
                        set_err('reg_plaintext_passwd', "Password error: $diag");
                }

                $_POST['reg_plaintext_passwd_conf'] = trim($_POST['reg_plaintext_passwd_conf']);

                if ($_POST['reg_plaintext_passwd'] !== $_POST['reg_plaintext_passwd_conf']) {
                        set_err('reg_plaintext_passwd', '{TEMPLATE: register_err_passwdnomatch}');
                }


Really, with Cracklib there's no need to even have the built-in length restrictions, but I just tried to mess with the original code as little as possible. Let me know what you all think of this.

1: Cracklib: A C library used to check the strength of passwords. It's used by most Linux/UNIX systems that support Pluggable Access Modules.

[Updated on: Sat, 03 September 2005 09:25]

Report message to a moderator

Re: Make Fudforum enforce good passwords using cracklib [message #27298 is a reply to message #27289] Sat, 03 September 2005 19:13 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Cracklib extension is just about the rarest extension ever, in my many years of experience as PHP user and developer I've seen under 10 systems where it was enabled.

FUDforum Core Developer
Re: Make Fudforum enforce good passwords using cracklib [message #27313 is a reply to message #27289] Sun, 04 September 2005 04:41 Go to previous messageGo to next message
Iadnah is currently offline  Iadnah   United States
Messages: 7
Registered: September 2005
Karma: 0
Junior Member
Well, I happen to personally own the server my site's hosted on, so for me it's not an issue to have it enabled. I just thought I'd share the code.
Re: Make Fudforum enforce good passwords using cracklib [message #27624 is a reply to message #27289] Sat, 17 September 2005 00:54 Go to previous messageGo to next message
hdezmora is currently offline  hdezmora   Puerto Rico
Messages: 3
Registered: September 2005
Karma: 0
Junior Member
Hi there,
sorry for disturbe you, but could you help me to use the crack functions on php? I have already installed php4-4.3.10-14.11 and cracklib-2.7-1010 on SuSE 9.3 but I don't know how to configure php to use crack functions.
Taking your example code, the following error occurs:

Fatal error: Call to undefined function: crack_opendict() in php_file

Any help will be appreciated.
With regards,
- Hugo R. Hernandez-Mora
Re: Make Fudforum enforce good passwords using cracklib [message #27625 is a reply to message #27289] Sat, 17 September 2005 04:49 Go to previous messageGo to next message
Iadnah is currently offline  Iadnah   United States
Messages: 7
Registered: September 2005
Karma: 0
Junior Member
The Suse rpm of PHP probably wasn't compiled for use with cracklib. You need to go to php.net and download the source code for the latest 4.x series of PHP.

Then, make a simple php script with the command phpinfo(); in it. Go to that script in a browser and at the top of the page it'll say what options PHP was compiled with. When you compile the source code you downloaded you'll want to use the exact same options, but add --with-crack to them.
Re: Make Fudforum enforce good passwords using cracklib [message #27627 is a reply to message #27625] Sat, 17 September 2005 16:09 Go to previous messageGo to next message
hdezmora is currently offline  hdezmora   Puerto Rico
Messages: 3
Registered: September 2005
Karma: 0
Junior Member
but... I must uninstall the php rpm?

rpm -e php4-4.3.10-14.11
Re: Make Fudforum enforce good passwords using cracklib [message #27634 is a reply to message #27289] Sat, 17 September 2005 19:58 Go to previous messageGo to next message
Iadnah is currently offline  Iadnah   United States
Messages: 7
Registered: September 2005
Karma: 0
Junior Member
Yeah.
Re: Make Fudforum enforce good passwords using cracklib [message #27638 is a reply to message #27634] Sun, 18 September 2005 13:19 Go to previous messageGo to next message
hdezmora is currently offline  hdezmora   Puerto Rico
Messages: 3
Registered: September 2005
Karma: 0
Junior Member
I'll try that. Thank you.
Re: Make Fudforum enforce good passwords using cracklib [message #27645 is a reply to message #27289] Sun, 18 September 2005 22:40 Go to previous message
Iadnah is currently offline  Iadnah   United States
Messages: 7
Registered: September 2005
Karma: 0
Junior Member
No problem at all. If I get the time (and become sufficiently bored) I may write a function for FUD that does the same thing but without the need of cracklib. I realize that most servers probably don't have it enabled by default and most people either don't compile from source, or aren't able to (due to someone else owning the server).
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Total users online
Next Topic: I can't search chinese topic
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Oct 31 23:45:15 GMT 2024

Total time taken to generate the page: 0.05126 seconds