ruby-password 0.15.5

data/INSTALL

@@ -0,0 +1,34 @@
+$Id: INSTALL,v 1.3 2004/04/07 09:29:03 ianmacd Exp $
+
+
+At the prompt, type:
+
+$ ruby extconf.rb
+
+This will create a Makefile for your system.
+
+Next, type:
+
+$ make
+
+This will build the software for your system.
+
+Finally, type:
+
+$ make install
+
+This will install the software on your system. The software consists of
+crack.so, a low level shared object interface to LibCrack for checking
+password security stength, and password.rb, a higher level API for dealing
+with passwords.
+
+If, for any reason, you wish to install the software elsewhere, you can
+pass make(1) relevant arguments via environment variables:
+
+$ make DESTDIR=/tmp install
+
+You can generate RDoc documentation as follows:
+
+$ rdoc -x CVS rbcrack.c lib
+
+This will generate HTML and documentation in the doc/ subdirectory.

data/README

@@ -0,0 +1,60 @@
+WHAT IS IT?
+-----------
+
+Ruby/Password is a suite of password handling methods for Ruby. It supports
+the manual entry of passwords from the keyboard in both buffered and
+unbuffered modes, password strength checking, random password generation,
+phonemic password generation (for easy memorisation by human-beings) and the
+encryption of passwords.
+
+The common CrackLib library is used to perform password strength checking.
+
+From the CrackLib README:
+
+  CrackLib makes literally hundreds of tests to determine whether you've
+  chosen a bad password.
+
+  * It tries to generate words from your username and GECOS entry and tries
+    to match them against the password you've chosen.
+
+  * It checks for simplistic patterns.
+
+  * It then tries to reverse-engineer your password into a dictionary
+    word, and searches for it in your dictionary.
+
+  - after all that, it's PROBABLY a safe(-ish) password.  8-)
+
+
+The target audience for this library is system administrators who need
+to write Ruby programs that prompt for, generate, verify and encrypt
+passwords.
+
+
+THIS FORK
+---------
+
+This is a fork from the original software written by Ian Macdonald. I've (Albert Lash of Savonix / Docunext) forked it to try and package it as a Ruby 1.9.1 gem
+for my own convenience. I made the version 0.15.4 to try and differentiate from Ian's tree.
+
+INSTALLATION
+------------
+
+Please see the INSTALL file for details of how to install Ruby/Password.
+
+
+USAGE
+-----
+
+Please see the RDoc documentation for details of how to use Ruby/Password.
+
+
+LICENCE
+-------
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+Please see the file COPYING for the terms of the licence.
+

data/Rakefile

@@ -0,0 +1,25 @@
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "ruby-password"
+    gem.summary = %Q{A password handling library for Ruby with interface to CrackLib}
+    gem.description = %Q{Ruby/Password is a suite of password handling methods for Ruby. It supports
+the manual entry of passwords from the keyboard in both buffered and
+unbuffered modes, password strength checking, random password generation,
+phonemic password generation (for easy memorisation by human-beings) and the
+encryption of passwords.}
+    gem.email = "albert.lash@docunext.com"
+    gem.homepage = "http://www.docunext.com/"
+    gem.authors = ["Albert Lash", "Ian Macdonald"]
+    gem.add_dependency "ruby-termios"
+    gem.add_development_dependency "shoulda"
+    gem.extensions = FileList['extconf.rb']
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+

data/VERSION

@@ -0,0 +1 @@
+0.15.5

data/example/example.rb

@@ -0,0 +1,42 @@
+#!/usr/bin/ruby -w
+#
+# $Id: example.rb,v 1.7 2004/04/07 09:49:06 ianmacd Exp $
+#
+# Copyright (C) 2002-2004 Ian Macdonald
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2, or (at your option)
+#   any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, write to the Free Software Foundation,
+#   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+require 'password'
+
+def handle_password( pw )
+  pw.check
+  puts pw.crypt( `uname` == "Linux\n" ? Password::MD5 : Password::DES )
+end
+
+begin
+  my_string = Password.get( "Password with get: " )
+  handle_password( my_string )
+rescue Password::WeakPassword => reason
+  puts reason
+  retry
+end
+
+begin
+  my_string = Password.getc( "Password with getc: ", 'X' )
+  handle_password( my_string )
+rescue Password::WeakPassword => reason
+  puts reason
+  retry
+end

data/example/pwgen

@@ -0,0 +1,118 @@
+#!/usr/bin/ruby -w
+#
+# $Id: pwgen,v 1.3 2004/09/04 22:20:27 ianmacd Exp $
+#
+# Copyright (C) 2004 Ian Macdonald
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2, or (at your option)
+#   any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, write to the Free Software Foundation,
+#   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+
+require 'optparse'
+require 'ostruct'
+require 'password'
+
+
+class Optparse
+
+  USAGE_BANNER = "Usage: pwgen [ OPTIONS ] [ password_length ] [ number_passwords ]"
+
+  def self.parse(args)
+    options = OpenStruct.new
+    options.columns = $stdout.tty?
+    options.one_case = $stdout.tty? ? Password::ONE_CASE : 0
+    options.one_digit = $stdout.tty? ? Password::ONE_DIGIT : 0
+    options.secure = false
+
+    opts = OptionParser.new do |opts|
+      opts.banner = USAGE_BANNER
+
+      opts.on( "-C", "Print the generated passwords in columns") do
+	options.columns = true
+      end
+
+      opts.on( "-1", "Don't print the generated passwords",
+		     "  in columns") do
+	options.columns = false
+      end
+
+      opts.on( "-c", "--[no-]capitalise", "--[no-]capitalize",
+	      "Include at least one capital letter in",
+	      "  the password" ) do |opt|
+	options.one_case = opt ? Password::ONE_CASE : 0
+      end
+
+      opts.on( "-n", "--[no-]numerals",
+	      "Include at least one digit in the password" ) do |opt|
+	options.one_digit = opt ? Password::ONE_DIGIT : 0
+      end
+
+      opts.on( "-s", "--secure", "Generate completely random passwords" ) do
+	options.secure = true
+      end
+
+      opts.on( "-v", "--version", "Display version and exit" ) do
+	puts PWGEN_VERSION
+	exit
+      end
+
+      opts.on_tail( "-h", "--help", "Display this usage message and exit" ) do
+	puts opts
+	exit
+      end
+
+    end
+
+    opts.parse!(args)
+    options
+  end
+end
+
+PWGEN_VERSION = '0.5.2'
+TERM_WIDTH = 80
+
+options = Optparse.parse(ARGV)
+
+unless [ 0, 2 ].include? ARGV.size
+  puts Optparse::USAGE_BANNER
+  exit 1
+end
+
+length, number = *ARGV.map { |arg| arg.to_i }
+length ||= 8
+
+generator = if length < 5 || options.secure
+	      Proc.new { Password.random( length ) }
+	    else
+	      Proc.new { Password.phonemic( length, options.one_case |
+						    options.one_digit ) }
+	    end
+
+columns = options.columns ? TERM_WIDTH / ( length + 1 ) : 1
+columns = 1 if columns == 0
+number ||= options.columns ? columns * 20 : 1
+
+need_new_line = false
+
+0.upto number - 1 do |n|
+  if ! options.columns || n % columns == columns - 1
+    puts generator.call
+    need_new_line = false
+  else
+    print generator.call, ' '
+    need_new_line = true
+  end
+end
+
+puts if need_new_line

data/extconf.rb

@@ -0,0 +1,62 @@
+# extconf for Ruby/Password
+#
+# $Id: extconf.rb,v 1.13 2006/03/02 17:35:06 ianmacd Exp $
+
+require 'mkmf'
+
+search_dicts = %w(
+  /usr/local/lib/pw_dict.pwd
+  /usr/lib/pw_dict.pwd
+  /opt/lib/pw_dict.pwd
+  /usr/local/lib/cracklib_dict.pwd
+  /usr/lib/cracklib_dict.pwd
+  /opt/lib/cracklib_dict.pwd
+  /var/cache/cracklib/cracklib_dict.pwd
+)
+
+if dict = with_config('crack-dict')
+  search_dicts.unshift(dict)
+end
+
+crack_dict = nil
+
+# find the crack dictionary
+print "checking for cracklib dictionary... "
+
+search_dicts.each do |dict|
+  # create a header file pointing to the crack dictionary
+  if File.exist?(dict)
+    puts dict
+    crack_dict = dict.sub(/\.pwd/, '')
+    break
+  end
+end
+
+if crack_dict.nil?
+  puts "no\nCouldn't find a cracklib dictionary on this system"
+  exit 1
+end
+
+hfile = File.new("rbcrack.h", 'w')
+hfile.printf("#define CRACK_DICT \"%s\"\n", crack_dict)
+hfile.close
+
+have_header('crack.h') && have_library('crack', 'FascistCheck') or exit 1
+
+create_makefile('cracklib')
+
+File.open('Makefile', 'a') do |f|
+  f.print <<EOF
+
+extra-clean:	distclean
+		-rm -rf rbcrack.h doc/
+
+docs:
+		-rdoc -x CVS rbcrack.c lib
+
+test:		cracklib.so FORCE
+		-cd test; ./tc_password.rb
+
+FORCE:
+EOF
+end

data/lib/password.rb

@@ -0,0 +1,432 @@
+# $Id: password.rb,v 1.24 2006/03/02 19:42:33 ianmacd Exp $
+# 
+# Version : 0.5.3
+# Author  : Ian Macdonald <ian@caliban.org>
+#
+# Copyright (C) 2002-2006 Ian Macdonald
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2, or (at your option)
+#   any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, write to the Free Software Foundation,
+#   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+
+require 'cracklib'
+require 'termios'
+
+
+# Ruby/Password is a collection of password handling routines for Ruby,
+# including an interface to CrackLib for the purposes of testing password
+# strength.
+# 
+#  require 'password'
+#
+#  # Define and check a password in code
+#  pw = Password.new( "bigblackcat" )
+#  pw.check
+#
+#  # Get and check a password from the keyboard
+#  begin
+#    password = Password.get( "New password: " )
+#    password.check
+#  rescue Password::WeakPassword => reason
+#    puts reason
+#    retry
+#  end
+#
+#  # Automatically generate and encrypt a password
+#  password = Password.phonemic( 12, Password:ONE_CASE | Password::ONE_DIGIT )
+#  crypted = password.crypt
+#
+#
+class Password < String
+
+  # This exception class is raised if an error occurs during password
+  # encryption when calling Password#crypt.
+  #
+  class CryptError < StandardError; end
+
+  # This exception class is raised if a bad dictionary path is detected by
+  # Password#check.
+  #
+  class DictionaryError < StandardError; end
+
+  # This exception class is raised if a weak password is detected by
+  # Password#check.
+  #
+  class WeakPassword < StandardError; end
+
+  VERSION = '0.5.3'
+
+  # DES algorithm
+  # 
+  DES = true
+
+  # MD5 algorithm (see <em>crypt(3)</em> for more information)
+  #
+  MD5 = false
+ 
+  # This flag is used in conjunction with Password.phonemic and states that a
+  # password must include a digit.
+  #
+  ONE_DIGIT  =	1
+
+  # This flag is used in conjunction with Password.phonemic and states that a
+  # password must include a capital letter.
+  #
+  ONE_CASE    = 1 << 1
+
+  # Characters that may appear in generated passwords. Password.urandom may
+  # also use the characters + and /.
+  #
+  PASSWD_CHARS = '0123456789' +
+		 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' +
+		 'abcdefghijklmnopqrstuvwxyz'
+
+  # Valid salt characters for use by Password#crypt.
+  #
+  SALT_CHARS   = '0123456789' +
+		 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' +
+		 'abcdefghijklmnopqrstuvwxyz' +
+		 './'
+
+  # :stopdoc:
+
+  # phoneme flags
+  #
+  CONSONANT = 1
+  VOWEL	    = 1 << 1
+  DIPHTHONG = 1 << 2
+  NOT_FIRST = 1 << 3  # indicates that a given phoneme may not occur first
+
+  PHONEMES = {
+    :a	=> VOWEL,
+    :ae	=> VOWEL      | DIPHTHONG,
+    :ah => VOWEL      | DIPHTHONG,
+    :ai => VOWEL      | DIPHTHONG,
+    :b	=> CONSONANT,
+    :c	=> CONSONANT,
+    :ch	=> CONSONANT  | DIPHTHONG,
+    :d	=> CONSONANT,
+    :e	=> VOWEL,
+    :ee	=> VOWEL      | DIPHTHONG,
+    :ei	=> VOWEL      | DIPHTHONG,
+    :f	=> CONSONANT,
+    :g	=> CONSONANT,
+    :gh	=> CONSONANT  | DIPHTHONG | NOT_FIRST,
+    :h	=> CONSONANT,
+    :i	=> VOWEL,
+    :ie	=> VOWEL      | DIPHTHONG,
+    :j	=> CONSONANT,
+    :k	=> CONSONANT,
+    :l	=> CONSONANT,
+    :m	=> CONSONANT,
+    :n	=> CONSONANT,
+    :ng	=> CONSONANT  | DIPHTHONG | NOT_FIRST,
+    :o	=> VOWEL,
+    :oh	=> VOWEL      | DIPHTHONG,
+    :oo	=> VOWEL      | DIPHTHONG,
+    :p	=> CONSONANT,
+    :ph	=> CONSONANT  | DIPHTHONG,
+    :qu	=> CONSONANT  | DIPHTHONG,
+    :r	=> CONSONANT,
+    :s	=> CONSONANT,
+    :sh	=> CONSONANT  | DIPHTHONG,
+    :t	=> CONSONANT,
+    :th	=> CONSONANT  | DIPHTHONG,
+    :u	=> VOWEL,
+    :v	=> CONSONANT,
+    :w	=> CONSONANT,
+    :x	=> CONSONANT,
+    :y	=> CONSONANT,
+    :z	=> CONSONANT
+  }
+
+  # :startdoc:
+
+
+  # Turn local terminal echo on or off. This method is used for securing the
+  # display, so that a soon to be entered password will not be echoed to the
+  # screen. It is also used for restoring the display afterwards.
+  #
+  # If _masked_ is +true+, the keyboard is put into unbuffered mode, allowing
+  # the retrieval of characters one at a time. _masked_ has no effect when
+  # _on_ is +false+. You are unlikely to need this method in the course of
+  # normal operations.
+  #
+  def Password.echo(on=true, masked=false)
+    term = Termios::getattr( $stdin )
+
+    if on
+      term.c_lflag |= ( Termios::ECHO | Termios::ICANON )
+    else # off
+      term.c_lflag &= ~Termios::ECHO
+      term.c_lflag &= ~Termios::ICANON if masked
+    end
+
+    Termios::setattr( $stdin, Termios::TCSANOW, term )
+  end
+
+
+  # Get a password from _STDIN_, using buffered line input and displaying
+  # _message_ as the prompt. No output will appear while the password is being
+  # typed. Hitting <b>[Enter]</b> completes password entry. If _STDIN_ is not
+  # connected to a tty, no prompt will be displayed.
+  #
+  def Password.get(message="Password: ")
+    begin
+      if $stdin.tty?
+	Password.echo false
+	print message if message
+      end
+
+      pw = Password.new( $stdin.gets || "" )
+      pw.chomp!
+
+    ensure
+      if $stdin.tty?
+	Password.echo true
+	print "\n"
+      end
+    end
+  end
+
+
+  # Get a password from _STDIN_ in unbuffered mode, i.e. one key at a time.
+  # _message_ will be displayed as the prompt and each key press with echo
+  # _mask_ to the terminal. There is no need to hit <b>[Enter]</b> at the end.
+  #
+  def Password.getc(message="Password: ", mask='*')
+    # Save current buffering mode
+    buffering = $stdout.sync
+
+    # Turn off buffering
+    $stdout.sync = true
+
+    begin
+      Password.echo(false, true)
+      print message if message
+      pw = ""
+
+      while ( char = $stdin.getc ) != 10 # break after [Enter]
+	putc mask
+	pw << char
+      end
+
+    ensure
+      Password.echo true
+      print "\n"
+    end
+
+    # Restore original buffering mode
+    $stdout.sync = buffering
+
+    Password.new( pw )
+  end
+
+
+  # :stopdoc:
+  
+  # Determine whether next character should be a vowel or consonant.
+  #
+  def Password.get_vowel_or_consonant
+    rand( 2 ) == 1 ? VOWEL : CONSONANT
+  end
+
+  # :startdoc:
+
+
+  # Generate a memorable password of _length_ characters, using phonemes that
+  # a human-being can easily remember. _flags_ is one or more of
+  # <em>Password::ONE_DIGIT</em> and <em>Password::ONE_CASE</em>, logically
+  # OR'ed together. For example:
+  #
+  #  pw = Password.phonemic( 8, Password::ONE_DIGIT | Password::ONE_CASE )
+  #
+  # This would generate an eight character password, containing a digit and an
+  # upper-case letter, such as <b>Ug2shoth</b>.
+  #
+  # This method was inspired by the
+  # pwgen[http://sourceforge.net/projects/pwgen/] tool, written by Theodore
+  # Ts'o.
+  #
+  # Generated passwords may contain any of the characters in
+  # <em>Password::PASSWD_CHARS</em>.
+  #
+  def Password.phonemic(length=8, flags=nil)
+
+    pw = nil
+    ph_flags = flags
+
+    loop do
+
+      pw = ""
+
+      # Separate the flags integer into an array of individual flags
+      feature_flags = [ flags & ONE_DIGIT, flags & ONE_CASE ]
+
+      prev = []
+      first = true
+      desired = Password.get_vowel_or_consonant
+
+      # Get an Array of all of the phonemes
+      phonemes = PHONEMES.keys.map { |ph| ph.to_s }
+      nr_phonemes = phonemes.size
+
+      while pw.length < length do
+
+	# Get a random phoneme and its length
+	phoneme = phonemes[ rand( nr_phonemes ) ]
+	ph_len = phoneme.length
+
+	# Get its flags as an Array
+	ph_flags = PHONEMES[ phoneme.to_sym ]
+	ph_flags = [ ph_flags & CONSONANT, ph_flags & VOWEL,
+		     ph_flags & DIPHTHONG, ph_flags & NOT_FIRST ]
+
+	# Filter on the basic type of the next phoneme
+	next if ph_flags.include? desired
+
+	# Handle the NOT_FIRST flag
+	next if first and ph_flags.include? NOT_FIRST
+
+	# Don't allow a VOWEL followed a vowel/diphthong pair
+	next if prev.include? VOWEL and ph_flags.include? VOWEL and
+		ph_flags.include? DIPHTHONG
+
+	# Don't allow us to go longer than the desired length
+	next if ph_len > length - pw.length
+
+	# We've found a phoneme that meets our criteria
+	pw << phoneme
+
+	# Handle ONE_CASE
+	if feature_flags.include? ONE_CASE
+
+	  if (first or ph_flags.include? CONSONANT) and rand( 10 ) < 3
+	    pw[-ph_len, 1] = pw[-ph_len, 1].upcase
+	    feature_flags.delete ONE_CASE
+	  end
+
+	end
+
+	# Is password already long enough?
+	break if pw.length >= length
+
+	# Handle ONE_DIGIT
+	if feature_flags.include? ONE_DIGIT
+
+	  if ! first and rand( 10 ) < 3
+	    pw << ( rand( 10 ) + ?0 ).chr
+	    feature_flags.delete ONE_DIGIT
+
+	    first = true
+	    prev = []
+	    desired = Password.get_vowel_or_consonant
+	    next
+	  end
+
+	end
+
+	if desired == CONSONANT
+	  desired = VOWEL
+	elsif prev.include? VOWEL or ph_flags.include? DIPHTHONG or
+	      rand(10) > 3
+	  desired = CONSONANT
+	else
+	  desired = VOWEL
+	end
+
+	prev = ph_flags
+	first = false
+      end
+
+      # Try again
+      break unless feature_flags.include? ONE_CASE or
+		   feature_flags.include? ONE_DIGIT
+
+    end
+
+    Password.new( pw )
+
+  end
+
+
+  # Generate a random password of _length_ characters. Unlike the
+  # Password.phonemic method, no attempt will be made to generate a memorable
+  # password. Generated passwords may contain any of the characters in
+  # <em>Password::PASSWD_CHARS</em>.
+  #
+  #
+  def Password.random(length=8)
+    pw = ""
+    nr_chars = PASSWD_CHARS.size
+
+    length.times { pw << PASSWD_CHARS[ rand( nr_chars ) ] }
+
+    Password.new( pw )
+  end
+
+
+  # An alternative to Password.random. It uses the <tt>/dev/urandom</tt>
+  # device to generate passwords, returning +nil+ on systems that do not
+  # implement the device. The passwords it generates may contain any of the
+  # characters in <em>Password::PASSWD_CHARS</em>, plus the additional
+  # characters + and /.
+  #
+  def Password.urandom(length=8)
+    return nil unless File.chardev? '/dev/urandom'
+
+    rand_data = nil
+    File.open( "/dev/urandom" ) { |f| rand_data = f.read( length ) }
+
+    # Base64 encode it
+    Password.new( [ rand_data ].pack( 'm' )[ 0 .. length - 1 ] )
+  end
+
+
+  # Encrypt a password using _type_ encryption. _salt_, if supplied, will be
+  # used to perturb the encryption algorithm and should be chosen from the
+  # <em>Password::SALT_CHARS</em>. If no salt is given, a randomly generated
+  # salt will be used.
+  #
+  def crypt(type=DES, salt='')
+
+    unless ( salt.split( // ) - SALT_CHARS.split( // ) ).empty?
+      raise CryptError, 'bad salt'
+    end
+
+    salt = Password.random( type ? 2 : 8 ) if salt.empty?
+
+    # (Linux glibc2 interprets a salt prefix of '$1$' as a call to use MD5
+    # instead of DES when calling crypt(3))
+    salt = '$1$' + salt if type == MD5
+
+    # Pass to crypt in class String (our parent class)
+    crypt = super( salt )
+
+    # Raise an exception if MD5 was wanted, but result is not recognisable
+    if type == MD5 && crypt !~ /^\$1\$/
+      raise CryptError, 'MD5 not implemented'
+    end
+
+    crypt
+  end
+
+end
+
+
+# Display a phonemic password, if run directly.
+#
+if $0 == __FILE__
+  puts Password.phonemic
+end