samba - Feb 2022 - password complexity bypasswd by check password script

On Thu, Feb 24, 2022 at 4:54 PM Andrew Bartlett <abartlet at samba.org>
wrote:
>
> On Thu, 2022-02-24 at 16:50 -0500, Jonathon Reinhart via samba wrote:
> >
> > I am also using the "check password script" option in
smb.conf to
> > check passwords against the HIBP database
> > (https://gitlab.com/JonathonReinhart/passhashdb).
> >
> > I, too, was completely unaware that using "check password
script"
> > bypasses the built-in password complexity checks.  Andrew, I
> > understand your rationale, and I agree with Francis that a
> > documentation update would be very welcome.
>
> So please prepare the documentation patch, and also please write update
> a wiki page on using the HIBP database.
This should be easy enough.

Andrew, I could look in the code, but can you confirm that this only
replaces the *complexity* and not the minimum length requirements?

Francis, can you share what solution you are using for checking
against HIBP? I'm fairly happy with my solution; it is very fast due
to the binary-search algorithm. However, I'm not thrilled with the
need for a wrapper script, as I indicate here:
https://gitlab.com/JonathonReinhart/passhashdb/-/tree/master#use-with-samba
 Perhaps someone has a better idea for dealing with the database path
and log path. I was trying to avoid another config file, but I guess
the wrapper script serves the same purpose...

Jonathon

On Thu, 2022-02-24 at 17:02 -0500, Jonathon Reinhart
wrote:
> On Thu, Feb 24, 2022 at 4:54 PM Andrew Bartlett <abartlet at
samba.org>
> wrote:
> > On Thu, 2022-02-24 at 16:50 -0500, Jonathon Reinhart via samba
> > wrote:
> > > I am also using the "check password script" option in
smb.conf to
> > > check passwords against the HIBP database
> > > (https://gitlab.com/JonathonReinhart/passhashdb).
> > > 
> > > I, too, was completely unaware that using "check password
script"
> > > bypasses the built-in password complexity checks.  Andrew, I
> > > understand your rationale, and I agree with Francis that a
> > > documentation update would be very welcome.
> > 
> > So please prepare the documentation patch, and also please write
> > update
> > a wiki page on using the HIBP database.
> 
> This should be easy enough.
> 
> Andrew, I could look in the code, but can you confirm that this only
> replaces the *complexity* and not the minimum length requirements?
Yes, that is the case.  Those can be tuned independently.
> Francis, can you share what solution you are using for checking
> against HIBP? I'm fairly happy with my solution; it is very fast due
> to the binary-search algorithm. However, I'm not thrilled with the
> need for a wrapper script, as I indicate here:
> https://gitlab.com/JonathonReinhart/passhashdb/-/tree/master#use-with-samba
>  Perhaps someone has a better idea for dealing with the database path
> and log path. I was trying to avoid another config file, but I guess
> the wrapper script serves the same purpose...
> 
> Jonathon
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Le jeu. 24 f?vr. 2022 ? 17:03, Jonathon Reinhart <
jonathon.reinhart at gmail.com> a ?crit :
>
>
> Francis, can you share what solution you are using for checking
> against HIBP? I'm fairly happy with my solution; it is very fast due
> to the binary-search algorithm. However, I'm not thrilled with the
> need for a wrapper script, as I indicate here:
> https://gitlab.com/JonathonReinhart/passhashdb/-/tree/master#use-with-samba
>  Perhaps someone has a better idea for dealing with the database path
> and log path. I was trying to avoid another config file, but I guess
> the wrapper script serves the same purpose...
>
>
Nothing fancy, I use this script:
https://github.com/sfonteneau/haveibeenpwnd_for_check_password_script_samba
(I'm not the author).