From b0561c03291646f2a558f400b20b1a1ba546f3d2 Mon Sep 17 00:00:00 2001
From: Justin Mitchell <arthur@sucs.org>
Date: Thu, 23 Oct 2008 12:18:10 +0000
Subject: [PATCH] Use cracklib for password checking and feedback the reason to
 the user

---
 components/options.php |  8 +++++++-
 lib/validation.php     | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/components/options.php b/components/options.php
index b9e97ea..9feeaac 100644
--- a/components/options.php
+++ b/components/options.php
@@ -26,11 +26,17 @@ function changePassword ($oldpass, $newpass1, $newpass2) {
 		trigger_error("New passwords do not match", E_USER_WARNING);
 		return FALSE;
 	}
-
+/*
 	if (!strongPassword($newpass1)) {
 		trigger_error("New password is too weak.", E_USER_WARNING);
 		return FALSE;
 	}
+*/
+	$reason = weakPassword($newpass1);
+	if ($reason !== FALSE) {
+		trigger_error("New password is weak: $reason", E_USER_WARNING);
+		return FALSE;
+	}
 
 	if (!($ldap = @ldap_connect("ldap://localhost"))) {
 		trigger_error("LDAP connect failed", E_USER_ERROR);
diff --git a/lib/validation.php b/lib/validation.php
index 3f218b4..43136e9 100644
--- a/lib/validation.php
+++ b/lib/validation.php
@@ -30,6 +30,7 @@ function validEmail ($email)
 
 // test whether a password is considered Strong Enough
 // ideally we'd want to use cracklib or something here, but no RPM for the php bindings :-(
+// dont use this, use weakPassword instead it uses cracklib
 function strongPassword ($pass) {
 
 	// you call this a password? my cat could bruteforce this.
@@ -61,4 +62,37 @@ function strongPassword ($pass) {
 	}
 }
 
+# Use cracklib to check for weak passwords.
+# returns FALSE if the password is good i.e. not weak
+# otherwise returns a string saying why its weak
+function weakPassword($password)
+{
+	// Try fedora then debian known paths
+	if (file_exists("/usr/sbin/cracklib-check"))
+		$cracklib = "/usr/sbin/cracklib-check";
+	else
+	if (file_exists("/usr/sbin/crack_testlib"))
+		$cracklib = "/usr/sbin/crack_testlib";
+	else
+		return "Cannot find cracklib";
+
+	$proc = proc_open($cracklib, array(0=>array("pipe","r"),1=>array("pipe","w")),$pipes,'/tmp/',NULL);
+	if (!is_resource($proc)) {
+		return "Cannot find cracklib";
+	}
+	fwrite($pipes[0], $password);
+	fclose($pipes[0]);
+	$last = "";
+	do {
+		$last = fgets($pipes[1]);
+		if ($last !== FALSE) $answer = trim($last);
+	} while ($last !== FALSE);
+	fclose($pipes[1]);
+	proc_close($proc);
+	$answer = substr(strrchr($answer,":"),2);
+	if (strtolower($answer) == "ok") return FALSE;
+	if ($answer == "") return("Empty password");
+	return $answer;
+}
+
 ?>
-- 
GitLab