Posted on by yyagol

samba password complexity check

Samba server can act as PDC ( primary domain controller ) .
you can force password policy with pdbedit command ,
but it doesnt check for complexity . in order to check complexity samba provides “check password script” attribute in smb.conf , and crackcheck that uses cracklib .
but what do you do when you need a specific password compexity policy ?
you can write your own script . any language will do as long as you return 0 (zero) for true , and higher then 0 for false .
here is an example of such script written in perl

#!/usr/bin/perl -w
# This Script will check password complexity
$min_length=8;
$min_upercase=1;
$min_lowercase=1;
$min_digits=1;
$min_specialchar=1;
$specialchars='!,@,#,$,%,^,&,*,(,),-,_,+,=';
# get the password from standard input ( possible to pipe )
$str_pass=<STDIN> ;
# now lets start check and update the counters is we find something
# but first lets set all counters to zero
$ctr_length=-1;
$ctr_upercase=0;
$ctr_lowercase=0;
$ctr_digits=0;
$ctr_specialcar=0;
# conver the string to array
@array_pass = split('',$str_pass);
# convert specias carachter into array
@arrayspecialchars = split(',',$specialchars);
foreach $pass_char (@array_pass)
{
	$ctr_length++;
	# check upercase
	if($pass_char =~ /[A-Z]/)
	{
		$ctr_upercase++;
	}
	# check lowercase
	elsif($pass_char =~ /[a-z]/)
	{
		$ctr_lowercase++;
	}
	# check digits
	elsif($pass_char =~ /[0-9]/)
	{
		$ctr_digits++;
	}
	else
	{
	# check special characters
	foreach $schar (@arrayspecialchars)
	{
		if($pass_char =~ /Q$schar/)
		{
			$ctr_specialcar++;
		}
	}
	}
}
# check if we reached minimal length
if($ctr_length<$min_length)
{
	print "too short , minimum $min_length and got $ctr_length n";
	exit 1 ;
}
# check if we reached minimal UPER case
if($ctr_upercase<$min_upercase)
{
	print "not enough upercase , minimum $min_upercase and got $ctr_upercase n";
	exit 2;
}
# check if we reached minimal lower case
if($ctr_lowercase<$min_lowercase)
{
	print "not enough lowercase , minimum $min_lowercase and got $ctr_lowercase n";
	exit 3;
}
# check if we reached minimal digits
if($ctr_digits<$min_digits)
{
	print "not enough digits , minimum $min_digits and got $ctr_digits n";
	exit 3;
}
# check if we reached minimal special characters
if($ctr_specialcar<$min_specialchar)
{
	print "not enough special characters , minimum $min_specialchar and got $ctr_specialcar n";
	exit 4;
}
# if you got up to here , meaning you passed it all with success
# we can now return a non error exit
exit 0;