A user tried to use the cracklib build-time option of the passwordcheck
module. This failed, as it turned out because there was no dictionary
installed in the right place, but the error was not properly reported,
because the existing code just throws away the error message from
cracklib. Attached is a patch that changes this by logging any error
message returned from the cracklib call.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From 00d5c1e1a9b65339bee6449e49eab053fef2a34f Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pe...@eisentraut.org>
Date: Tue, 25 Aug 2020 12:12:42 +0200
Subject: [PATCH] passwordcheck: Log cracklib diagnostics
When calling cracklib to check the password, the diagnostic from
cracklib was thrown away. This would hide essential information such
as no dictionary being installed. Change this to show the cracklib
error message using errdetail_log().
---
contrib/passwordcheck/passwordcheck.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/contrib/passwordcheck/passwordcheck.c
b/contrib/passwordcheck/passwordcheck.c
index d5f9d14b01..70f056232f 100644
--- a/contrib/passwordcheck/passwordcheck.c
+++ b/contrib/passwordcheck/passwordcheck.c
@@ -91,6 +91,9 @@ check_password(const char *username,
int i;
bool pwd_has_letter,
pwd_has_nonletter;
+#ifdef USE_CRACKLIB
+ const char *reason;
+#endif
/* enforce minimum length */
if (pwdlen < MIN_PWD_LENGTH)
@@ -125,10 +128,11 @@ check_password(const char *username,
#ifdef USE_CRACKLIB
/* call cracklib to check password */
- if (FascistCheck(password, CRACKLIB_DICTPATH))
+ if ((reason = FascistCheck(password, CRACKLIB_DICTPATH)))
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
- errmsg("password is easily cracked")));
+ errmsg("password is easily cracked"),
+ errdetail_log("cracklib diagnostic:
%s", reason)));
#endif
}
--
2.28.0
