vyos.utils: image-tools: T6353: Add password strength check and basic validation

Author: oniko94

debian/control

@@ -124,6 +124,8 @@ Depends:
 # Live filesystem tools
   squashfs-tools,
   fuse-overlayfs,
+# Tools for checking password strength
+  python3-cracklib,
 ## End installer
   auditd,
   iputils-arping,

debian/vyos-1x.postinst

@@ -195,6 +195,10 @@ if [ ! -x $PRECONFIG_SCRIPT ]; then
 EOF
 fi
 
+# cracklib-runtime default database location
+CRACKLIB_DIR=/var/cache/cracklib
+CRACKLIB_DB=cracklib_dict
+
 # create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
 POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
 if [ ! -x $POSTCONFIG_SCRIPT ]; then
@@ -206,7 +210,15 @@ if [ ! -x $POSTCONFIG_SCRIPT ]; then
 # This script is executed at boot time after VyOS configuration is fully applied.
 # Any modifications required to work around unfixed bugs
 # or use services not available through the VyOS CLI system can be placed here.
-
+#
+# T6353 - Just in case, check if cracklib was installed properly
+# If the database file is missing, re-install the runtime package
+#
+if [ ! -f "${CRACKLIB_DIR}/${CRACKLIB_DB}.pwd" ]; then
+    mkdir -p $CRACKLIB_DIR
+    /usr/sbin/create-cracklib-dict -o $CRACKLIB_DIR/$CRACKLIB_DB \
+        /usr/share/dict/cracklib-small
+fi
 EOF
 fi
 

python/vyos/utils/auth.py

@@ -13,10 +13,70 @@
 # You should have received a copy of the GNU Lesser General Public License along with this library;
 # if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 
+import cracklib
+import math
 import re
+import string
 
+from enum import StrEnum
+from decimal import *
 from vyos.utils.process import cmd
 
+DEFAULT_PASSWORD = 'vyos'
+LOW_ENTROPY_MSG = 'should be at least 8 characters long'
+
+
+class EPasswdStrength(StrEnum):
+    WEAK = 'Weak'
+    DECENT = 'Decent'
+    STRONG = 'Strong'
+
+
+def calculate_entropy(charset: str, passwd: str) -> float:
+    """
+    Calculate the entropy of a password based on the set of characters used
+    Uses E = log2(R**L) formula, where
+        - R is the range (length) of the character set
+        - L is the length of password
+    """
+    return math.log(math.pow(len(charset), len(passwd)), 2)
+
+def check_passwd_strength(passwd: str) -> dict:
+    """ Evaluates password strength and returns a check result dict """
+    charset = (cracklib.ASCII_UPPERCASE + cracklib.ASCII_LOWERCASE +
+        string.punctuation + string.digits)
+
+    result = {
+        'strength': '',
+        'errors': [],
+    }
+
+    try:
+        cracklib.FascistCheck(passwd)
+    except ValueError as e:
+        # The password is vulnerable to dictionary attack no matter the entropy
+        if 'is' in str(e):
+            msg = str(e).replace('is', 'should not be')
+        else:
+            msg = f'should not be {e}'
+        result['strength'] = EPasswdStrength.WEAK
+        result['errors'].append(msg)
+    else:
+        # Now check the password's entropy
+        # Cast to Decimal for more precise rounding
+        entropy = Decimal.from_float(calculate_entropy(charset, passwd))
+
+        match round(entropy):
+            case e if e in range(0, 59):
+                result['strength'] = EPasswdStrength.WEAK
+                result['errors'].append(LOW_ENTROPY_MSG)
+            case e if e in range(60, 119):
+                result['strength'] = EPasswdStrength.DECENT
+            case e if e >= 120:
+                result['strength'] = EPasswdStrength.STRONG
+
+    return result
+
 def make_password_hash(password):
     """ Makes a password hash for /etc/shadow using mkpasswd """
 

src/op_mode/image_installer.py

@@ -36,6 +36,11 @@
 from vyos.remote import download
 from vyos.system import disk, grub, image, compat, raid, SYSTEM_CFG_VER
 from vyos.template import render
+from vyos.utils.auth import (
+    check_passwd_strength,
+    DEFAULT_PASSWORD,
+    EPasswdStrength
+)
 from vyos.utils.io import ask_input, ask_yes_no, select_entry
 from vyos.utils.file import chmod_2775
 from vyos.utils.process import cmd, run, rc_cmd
@@ -83,6 +88,11 @@
 MSG_WARN_ROOT_SIZE_TOOSMALL: str = 'The size is too small. Try again'
 MSG_WARN_IMAGE_NAME_WRONG: str = 'The suggested name is unsupported!\n'\
 'It must be between 1 and 64 characters long and contains only the next characters: .+-_ a-z A-Z 0-9'
+
+MSG_WARN_DEFAULT_PASSWORD: str = 'Default password used. Consider changing ' \
+    'it on next login.'
+MSG_WARN_WEAK_PASSWORD: str = 'The password used is weak and can compromise ' \
+    'the system security.\nFollowing issues \n@ERRORS@\n have been identified.'
 MSG_WARN_PASSWORD_CONFIRM: str = 'The entered values did not match. Try again'
 'Installing a different image flavor may cause functionality degradation or break your system.\n' \
 'Do you want to continue with installation?'
@@ -778,10 +788,28 @@ def install_image() -> None:
     while True:
         user_password: str = ask_input(MSG_INPUT_PASSWORD, no_echo=True,
                                        non_empty=True)
+
+        if user_password == DEFAULT_PASSWORD:
+            print(MSG_WARN_DEFAULT_PASSWORD)
+        else:
+            result = check_passwd_strength(user_password)
+            print('Password Strength: {}'.format(result['strength']))
+
+            passwd_weak = result['strength'] \
+                not in [EPasswdStrength.DECENT, EPasswdStrength.STRONG]
+
+            if passwd_weak:
+                err_list = [f'  - {e}' for e in result['errors']]
+                print(MSG_WARN_WEAK_PASSWORD.replace(
+                    '@ERRORS@', '\n'.join(err_list)
+                ))
+
         confirm: str = ask_input(MSG_INPUT_PASSWORD_CONFIRM, no_echo=True,
                                  non_empty=True)
+
         if user_password == confirm:
             break
+
         print(MSG_WARN_PASSWORD_CONFIRM)
 
     # ask for default console