On Fri, 2013-09-06 at 09:04 -0400, Matthew Miller wrote:
The cracklib dicts in Fedora is 8.3M. (I'm sure some of this is
my fault, as
I've added to it over the years.) The cracklib pam module supports a
compressed dictionary, but apparently it has a serious performance impact
(
https://bugzilla.redhat.com/show_bug.cgi?id=1004896).
Meanwhile, in many systems today, local passwords are entirely unused.
Authentication is done via keys or by kerberos.
At the same time, we have an increased need for smaller systems. That 8MB
starts to be a meaningful fraction of a container or an ultra-small cloud
image.
I do recognize the value of protecting against dictionary-based attacks when
passwords are used. Maybe we could have a policy which requires _longer_
passwords but uses a much smaller dictionary?
The other option would be to fix the gzip support in cracklib to cache
the unpacked data somehow. However that would require to keep the
unpacked dictionary in RAM when cracklib is loaded, which is suboptimal
as well. Or we could make the cracklib-dicts optional somehow so it is
possible to install an ultra small cloud image without the dictionary at
all - I expect ultra small cloud image not needing password quality
checking at all.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)