On Fri, Sep 06, 2013 at 03:08:54PM +0200, Tomas Mraz wrote: > On Fri, 2013-09-06 at 09:04 -0400, Matthew Miller wrote: > > The cracklib dicts in Fedora is 8.3M. (I'm sure some of this is my fault, as > > I've added to it over the years.) The cracklib pam module supports a > > compressed dictionary, but apparently it has a serious performance impact > > (https://bugzilla.redhat.com/show_bug.cgi?id=1004896). > > > > Meanwhile, in many systems today, local passwords are entirely unused. > > Authentication is done via keys or by kerberos. > > > > At the same time, we have an increased need for smaller systems. That 8MB > > starts to be a meaningful fraction of a container or an ultra-small cloud > > image. > > > > I do recognize the value of protecting against dictionary-based attacks when > > passwords are used. Maybe we could have a policy which requires _longer_ > > passwords but uses a much smaller dictionary? > > The other option would be to fix the gzip support in cracklib to cache > the unpacked data somehow. However that would require to keep the > unpacked dictionary in RAM when cracklib is loaded, which is suboptimal > as well. Or we could make the cracklib-dicts optional somehow so it is > possible to install an ultra small cloud image without the dictionary at > all - I expect ultra small cloud image not needing password quality > checking at all. As an unscientific test, I looked at how long it takes to decompress the file pw_dict.pwd file with gzip # gzip -c -9 /usr/share/cracklib/pw_dict.pwd > pw_dict.pwd.gz # echo 2 > /proc/sys/vm/drop_caches # time gunzip -c pw_dict.pwd.gz > pw_dict.pwd real 0m0.112s user 0m0.104s sys 0m0.007s IOW, AFAICT, decompression time of pw_dict.pwd should not even be noticable, unless it is decompressing it multiple times during a single password change operation ? Even then it would have to be decompressing it at least 10 times to become really noticable. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
