From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
---|---|
To: | Daniel Gustafsson <daniel(at)yesql(dot)se>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: passwordcheck: Log cracklib diagnostics |
Date: | 2020-08-25 13:32:18 |
Message-ID: | 48637f956e427fb34bc6ecd7a51872ab9683318f.camel@cybertec.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, 2020-08-25 at 13:48 +0200, Daniel Gustafsson wrote:
> > On 25 Aug 2020, at 12:20, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> >
> > A user tried to use the cracklib build-time option of the passwordcheck module. This failed, as it turned out because there was no dictionary installed in the right place, but the error was not
> > properly reported, because the existing code just throws away the error message from cracklib. Attached is a patch that changes this by logging any error message returned from the cracklib call.
>
> +1 on this, it's also in line with the example documentation from cracklib.
> The returned error is potentially a bit misleading now, as it might say claim
> that a strong password is easily cracked if the dictionary fails load. Given
> that there is no way to distinguish between the class of returned errors it's
> hard to see how we can do better though.
>
> While poking at this, we might as well update the docs to point to the right
> URL for CrackLib as it moved from Sourceforge five years ago. The attached
> diff fixes that.
+1 on both patches.
Yours,
Laurenz Albe
From | Date | Subject | |
---|---|---|---|
Next Message | Daniel Gustafsson | 2020-08-25 13:52:14 | Move OpenSSL random under USE_OPENSSL_RANDOM |
Previous Message | Heikki Linnakangas | 2020-08-25 13:32:02 | Re: Refactor pg_rewind code and make it work against a standby |