Merge pull request #4413 from oniko94/fix/T7278-fix-cracklib-dep-build

T7278: Remove cracklib hack from postconfig script template

4 files changed, 15 insertions, 19 deletions

diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index ba97f37f6..fde58651a 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -195,10 +195,6 @@ if [ ! -x $PRECONFIG_SCRIPT ]; then
 EOF
 fi
 
-# cracklib-runtime default database location
-CRACKLIB_DIR=/var/cache/cracklib
-CRACKLIB_DB=cracklib_dict
-
 # create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
 POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
 if [ ! -x $POSTCONFIG_SCRIPT ]; then
@@ -210,15 +206,7 @@ if [ ! -x $POSTCONFIG_SCRIPT ]; then
 # This script is executed at boot time after VyOS configuration is fully applied.
 # Any modifications required to work around unfixed bugs
 # or use services not available through the VyOS CLI system can be placed here.
-#
-# T6353 - Just in case, check if cracklib was installed properly
-# If the database file is missing, re-install the runtime package
-#
-if [ ! -f "${CRACKLIB_DIR}/${CRACKLIB_DB}.pwd" ]; then
-    mkdir -p $CRACKLIB_DIR
-    /usr/sbin/create-cracklib-dict -o $CRACKLIB_DIR/$CRACKLIB_DB \
-        /usr/share/dict/cracklib-small
-fi
+
 EOF
 fi
 
diff --git a/python/vyos/utils/auth.py b/python/vyos/utils/auth.py
index a27d8a28a..5d0e3464a 100644
--- a/python/vyos/utils/auth.py
+++ b/python/vyos/utils/auth.py
@@ -23,15 +23,18 @@ from decimal import Decimal
 from vyos.utils.process import cmd
 
 
-DEFAULT_PASSWORD = 'vyos'
-LOW_ENTROPY_MSG = 'should be at least 8 characters long;'
-WEAK_PASSWORD_MSG= 'The password complexity is too low - @MSG@'
-
+DEFAULT_PASSWORD: str = 'vyos'
+LOW_ENTROPY_MSG: str = 'should be at least 8 characters long;'
+WEAK_PASSWORD_MSG: str = 'The password complexity is too low - @MSG@'
+CRACKLIB_ERROR_MSG: str = 'A following error occurred: @MSG@\n' \
+    'Possibly the cracklib database is corrupted or is missing. ' \
+    'Try reinstalling the python3-cracklib package.'
 
 class EPasswdStrength(StrEnum):
     WEAK = 'Weak'
     DECENT = 'Decent'
     STRONG = 'Strong'
+    ERROR = 'Cracklib Error'
 
 
 def calculate_entropy(charset: str, passwd: str) -> float:
@@ -63,6 +66,9 @@ def evaluate_strength(passwd: str) -> dict[str, str]:
             msg = f'should not be {e}'
         result.update(strength=EPasswdStrength.WEAK)
         result.update(error=WEAK_PASSWORD_MSG.replace('@MSG@', msg))
+    except Exception as e:
+        result.update(strength=EPasswdStrength.ERROR)
+        result.update(error=CRACKLIB_ERROR_MSG.replace('@MSG@', str(e)))
     else:
         # Now check the password's entropy
         # Cast to Decimal for more precise rounding
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index 1e6061ecf..3fed6d273 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -160,9 +160,10 @@ def verify(login):
                 dict_object=user_config
             ) or None
 
+            failed_check_status = [EPasswdStrength.WEAK, EPasswdStrength.ERROR]
             if plaintext_password is not None:
                 result = evaluate_strength(plaintext_password)
-                if result['strength'] == EPasswdStrength.WEAK:
+                if result['strength'] in failed_check_status:
                     Warning(result['error'])
 
             for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items():
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index c6e9c7f6f..82756daec 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -783,6 +783,7 @@ def install_image() -> None:
             break
         print(MSG_WARN_IMAGE_NAME_WRONG)
 
+    failed_check_status = [EPasswdStrength.WEAK, EPasswdStrength.ERROR]
     # ask for password
     while True:
         user_password: str = ask_input(MSG_INPUT_PASSWORD, no_echo=True,
@@ -792,7 +793,7 @@ def install_image() -> None:
             Warning(MSG_WARN_CHANGE_PASSWORD)
         else:
             result = evaluate_strength(user_password)
-            if result['strength'] == EPasswdStrength.WEAK:
+            if result['strength'] in failed_check_status:
                 Warning(result['error'])
 
         confirm: str = ask_input(MSG_INPUT_PASSWORD_CONFIRM, no_echo=True,