Merge pull request #4390 from oniko94/feature/T6353-add-password-complexity-validation

T6353: Add password complexity validation for system login user

7 files changed, 141 insertions, 5 deletions

diff --git a/debian/control b/debian/control
index efc008af2..4f1207078 100644
--- a/debian/control
+++ b/debian/control
@@ -123,6 +123,8 @@ Depends:
 # Live filesystem tools
   squashfs-tools,
   fuse-overlayfs,
+# Tools for checking password strength
+  python3-cracklib,
 ## End installer
   auditd,
   iputils-arping,
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index fde58651a..ba97f37f6 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -195,6 +195,10 @@ if [ ! -x $PRECONFIG_SCRIPT ]; then
 EOF
 fi
 
+# cracklib-runtime default database location
+CRACKLIB_DIR=/var/cache/cracklib
+CRACKLIB_DB=cracklib_dict
+
 # create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
 POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
 if [ ! -x $POSTCONFIG_SCRIPT ]; then
@@ -206,7 +210,15 @@ if [ ! -x $POSTCONFIG_SCRIPT ]; then
 # This script is executed at boot time after VyOS configuration is fully applied.
 # Any modifications required to work around unfixed bugs
 # or use services not available through the VyOS CLI system can be placed here.
-
+#
+# T6353 - Just in case, check if cracklib was installed properly
+# If the database file is missing, re-install the runtime package
+#
+if [ ! -f "${CRACKLIB_DIR}/${CRACKLIB_DB}.pwd" ]; then
+    mkdir -p $CRACKLIB_DIR
+    /usr/sbin/create-cracklib-dict -o $CRACKLIB_DIR/$CRACKLIB_DB \
+        /usr/share/dict/cracklib-small
+fi
 EOF
 fi
 
diff --git a/python/vyos/utils/auth.py b/python/vyos/utils/auth.py
index a0b3e1cae..a27d8a28a 100644
--- a/python/vyos/utils/auth.py
+++ b/python/vyos/utils/auth.py
@@ -13,10 +13,74 @@
 # You should have received a copy of the GNU Lesser General Public License along with this library;
 # if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 
+import cracklib
+import math
 import re
+import string
 
+from enum import StrEnum
+from decimal import Decimal
 from vyos.utils.process import cmd
 
+
+DEFAULT_PASSWORD = 'vyos'
+LOW_ENTROPY_MSG = 'should be at least 8 characters long;'
+WEAK_PASSWORD_MSG= 'The password complexity is too low - @MSG@'
+
+
+class EPasswdStrength(StrEnum):
+    WEAK = 'Weak'
+    DECENT = 'Decent'
+    STRONG = 'Strong'
+
+
+def calculate_entropy(charset: str, passwd: str) -> float:
+    """
+    Calculate the entropy of a password based on the set of characters used
+    Uses E = log2(R**L) formula, where
+        - R is the range (length) of the character set
+        - L is the length of password
+    """
+    return math.log(math.pow(len(charset), len(passwd)), 2)
+
+def evaluate_strength(passwd: str) -> dict[str, str]:
+    """ Evaluates password strength and returns a check result dict """
+    charset = (cracklib.ASCII_UPPERCASE + cracklib.ASCII_LOWERCASE +
+        string.punctuation + string.digits)
+
+    result = {
+        'strength': '',
+        'error': '',
+    }
+
+    try:
+        cracklib.FascistCheck(passwd)
+    except ValueError as e:
+        # The password is vulnerable to dictionary attack no matter the entropy
+        if 'is' in str(e):
+            msg = str(e).replace('is', 'should not be')
+        else:
+            msg = f'should not be {e}'
+        result.update(strength=EPasswdStrength.WEAK)
+        result.update(error=WEAK_PASSWORD_MSG.replace('@MSG@', msg))
+    else:
+        # Now check the password's entropy
+        # Cast to Decimal for more precise rounding
+        entropy = Decimal.from_float(calculate_entropy(charset, passwd))
+
+        match round(entropy):
+            case e if e in range(0, 59):
+                result.update(strength=EPasswdStrength.WEAK)
+                result.update(
+                    error=WEAK_PASSWORD_MSG.replace('@MSG@', LOW_ENTROPY_MSG)
+                )
+            case e if e in range(60, 119):
+                result.update(strength=EPasswdStrength.DECENT)
+            case e if e >= 120:
+                result.update(strength=EPasswdStrength.STRONG)
+
+    return result
+
 def make_password_hash(password):
     """ Makes a password hash for /etc/shadow using mkpasswd """
 
diff --git a/smoketest/scripts/cli/base_vyostest_shim.py b/smoketest/scripts/cli/base_vyostest_shim.py
index edf940efd..f0674f187 100644
--- a/smoketest/scripts/cli/base_vyostest_shim.py
+++ b/smoketest/scripts/cli/base_vyostest_shim.py
@@ -94,14 +94,18 @@ class VyOSUnitTestSHIM:
         def cli_commit(self):
             if self.debug:
                 print('commit')
-            self._session.commit()
             # During a commit there is a process opening commit_lock, and run()
             # returns 0
             while run(f'sudo lsof -nP {commit_lock}') == 0:
                 sleep(0.250)
+            # Return the output of commit
+            # Necessary for testing Warning cases
+            out = self._session.commit()
             # Wait for CStore completion for fast non-interactive commits
             sleep(self._commit_guard_time)
 
+            return out
+
         def op_mode(self, path : list) -> None:
             """
             Execute OP-mode command and return stdout
diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py
index d79f5521c..ed72f378e 100755
--- a/smoketest/scripts/cli/test_system_login.py
+++ b/smoketest/scripts/cli/test_system_login.py
@@ -25,7 +25,9 @@ import shutil
 
 from base_vyostest_shim import VyOSUnitTestSHIM
 
+from contextlib import redirect_stdout
 from gzip import GzipFile
+from io import StringIO, TextIOWrapper
 from subprocess import Popen
 from subprocess import PIPE
 from pwd import getpwall
@@ -42,6 +44,7 @@ from vyos.xml_ref import default_value
 
 base_path = ['system', 'login']
 users = ['vyos1', 'vyos-roxx123', 'VyOS-123_super.Nice']
+weak_passwd_user = ['test_user', 'passWord1']
 
 ssh_test_command = '/opt/vyatta/bin/vyatta-op-cmd-wrapper show version'
 
@@ -194,18 +197,20 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase):
     def test_system_login_user(self):
         for user in users:
             name = f'VyOS Roxx {user}'
+            passwd = f'{user}-pSWd-t3st'
             home_dir = f'/tmp/smoketest/{user}'
 
-            self.cli_set(base_path + ['user', user, 'authentication', 'plaintext-password', user])
+            self.cli_set(base_path + ['user', user, 'authentication', 'plaintext-password', passwd])
             self.cli_set(base_path + ['user', user, 'full-name', name])
             self.cli_set(base_path + ['user', user, 'home-directory', home_dir])
 
         self.cli_commit()
 
         for user in users:
+            passwd = f'{user}-pSWd-t3st'
             tmp = ['su','-', user]
             proc = Popen(tmp, stdin=PIPE, stdout=PIPE, stderr=PIPE)
-            tmp = f'{user}\nuname -a'
+            tmp = f'{passwd}\nuname -a'
             proc.stdin.write(tmp.encode())
             proc.stdin.flush()
             (stdout, stderr) = proc.communicate()
@@ -229,6 +234,17 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase):
         tmp = cmd(f'sudo passwd -S {locked_user}')
         self.assertIn(f'{locked_user} P ', tmp)
 
+    def test_system_login_weak_password_warning(self):
+        self.cli_set(base_path + [
+            'user', weak_passwd_user[0], 'authentication',
+            'plaintext-password', weak_passwd_user[1]
+        ])
+
+        out = self.cli_commit().strip()
+
+        self.assertIn('WARNING: The password complexity is too low', out)
+        self.cli_delete(base_path + ['user', weak_passwd_user[0]])
+
     def test_system_login_otp(self):
         otp_user = 'otp-test_user'
         otp_password = 'SuperTestPassword'
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index d3a969d9b..1e6061ecf 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
+import warnings
 
 from passlib.hosts import linux_context
 from psutil import users
@@ -24,11 +25,17 @@ from pwd import getpwuid
 from sys import exit
 from time import sleep
 
+from vyos.base import Warning
 from vyos.config import Config
 from vyos.configverify import verify_vrf
 from vyos.template import render
 from vyos.template import is_ipv4
-from vyos.utils.auth import get_current_user
+from vyos.utils.auth import (
+    DEFAULT_PASSWORD,
+    EPasswdStrength,
+    evaluate_strength,
+    get_current_user
+)
 from vyos.utils.configfs import delete_cli_node
 from vyos.utils.configfs import add_cli_node
 from vyos.utils.dict import dict_search
@@ -146,6 +153,18 @@ def verify(login):
                 if s_user.pw_name == user and s_user.pw_uid < MIN_USER_UID:
                     raise ConfigError(f'User "{user}" can not be created, conflict with local system account!')
 
+            # T6353: Check password for complexity using cracklib.
+            # A user password should be sufficiently complex
+            plaintext_password = dict_search(
+                path='authentication.plaintext_password',
+                dict_object=user_config
+            ) or None
+
+            if plaintext_password is not None:
+                result = evaluate_strength(plaintext_password)
+                if result['strength'] == EPasswdStrength.WEAK:
+                    Warning(result['error'])
+
             for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items():
                 if 'type' not in pubkey_options:
                     raise ConfigError(f'Missing type for public-key "{pubkey}"!')
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 609b0b347..c6e9c7f6f 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -32,10 +32,16 @@ from errno import ENOSPC
 
 from psutil import disk_partitions
 
+from vyos.base import Warning
 from vyos.configtree import ConfigTree
 from vyos.remote import download
 from vyos.system import disk, grub, image, compat, raid, SYSTEM_CFG_VER
 from vyos.template import render
+from vyos.utils.auth import (
+    DEFAULT_PASSWORD,
+    EPasswdStrength,
+    evaluate_strength
+)
 from vyos.utils.io import ask_input, ask_yes_no, select_entry
 from vyos.utils.file import chmod_2775
 from vyos.utils.process import cmd, run, rc_cmd
@@ -83,6 +89,9 @@ MSG_WARN_ROOT_SIZE_TOOBIG: str = 'The size is too big. Try again.'
 MSG_WARN_ROOT_SIZE_TOOSMALL: str = 'The size is too small. Try again'
 MSG_WARN_IMAGE_NAME_WRONG: str = 'The suggested name is unsupported!\n'\
 'It must be between 1 and 64 characters long and contains only the next characters: .+-_ a-z A-Z 0-9'
+
+MSG_WARN_CHANGE_PASSWORD: str = 'Default password used. Consider changing ' \
+    'it on next login.'
 MSG_WARN_PASSWORD_CONFIRM: str = 'The entered values did not match. Try again'
 'Installing a different image flavor may cause functionality degradation or break your system.\n' \
 'Do you want to continue with installation?'
@@ -778,10 +787,20 @@ def install_image() -> None:
     while True:
         user_password: str = ask_input(MSG_INPUT_PASSWORD, no_echo=True,
                                        non_empty=True)
+
+        if user_password == DEFAULT_PASSWORD:
+            Warning(MSG_WARN_CHANGE_PASSWORD)
+        else:
+            result = evaluate_strength(user_password)
+            if result['strength'] == EPasswdStrength.WEAK:
+                Warning(result['error'])
+
         confirm: str = ask_input(MSG_INPUT_PASSWORD_CONFIRM, no_echo=True,
                                  non_empty=True)
+
         if user_password == confirm:
             break
+
         print(MSG_WARN_PASSWORD_CONFIRM)
 
     # ask for default console