Implemented more gpg-agen options to support certain passphrase policies.

New tool gpg-check-pattern.

4 files changed, 80 insertions, 1 deletions

diff --git a/doc/ChangeLog b/doc/ChangeLog
index d4ade07d9..10c9f1bb9 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,7 @@
+2007-08-27  Werner Koch  <wk@g10code.com>
+
+	* examples/pwpattern.list: New.
+
 2007-08-24  Werner Koch  <wk@g10code.com>
 
 	* debugging.texi (Common Problems): Add "A root certifciate does
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 3d84bb814..1c5dd409b 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -18,7 +18,7 @@
 ## Process this file with automake to produce Makefile.in
 
 examples = examples/README examples/scd-event examples/trustlist.txt \
-	   examples/gpgconf.conf
+	   examples/gpgconf.conf examples/pwpattern.list
 
 EXTRA_DIST = DETAILS HACKING TRANSLATE OpenPGP KEYSERVER samplekeys.asc \
 	     gnupg-logo.eps gnupg-logo.pdf gnupg-logo.png \
diff --git a/doc/examples/pwpattern.list b/doc/examples/pwpattern.list
new file mode 100644
index 000000000..251c2d40b
--- /dev/null
+++ b/doc/examples/pwpattern.list
@@ -0,0 +1,48 @@
+# pwpattern.list                                   -*- default-generic -*-
+#
+# This is an example for a pattern file as used by gpg-check-pattern.
+# The file is line based with comment lines beginning on the *first*
+# position with a '#'.  Empty lines and lines with just spaces are
+# ignored.  The other lines may be verbatim patterns and match as they
+# are (trailing spaces are ignored) or extended regular expressions
+# indicated by a / in the first column and terminated by another / or
+# end of line.  All comparisons are case insensitive.
+ 
+# Reject the usual metavariables.  Usual not required because
+# gpg-agent can be used to reject all passphrases shorter than 8
+# charactes.
+foo
+bar
+baz
+
+# As well as very common passwords.  Note that gpg-agent can be used
+# to reject them due to missing non-alpha characters.
+password
+passwort
+passphrase
+mantra
+test
+abc
+egal
+
+# German number plates.
+/^[A-Z]{1,3}[ ]*-[ ]*[A-Z]{1,2}[ ]*[0-9]+/
+
+# Dates (very limited, only ISO dates). */
+/^[012][0-9][0-9][0-9]-[012][0-9]-[0123][0-9]$/
+
+# Arbitrary strings
+the quick brown fox jumps over the lazy dogs back
+no-password
+no password
+
+12345678
+123456789
+1234567890
+87654321
+987654321
+0987654321
+qwertyuiop
+qwertzuiop
+asdfghjkl
+zxcvbnm
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 156fe533e..9751eee78 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -334,11 +334,38 @@ Set the maximum time a cache entry used for SSH keys is valid to @var{n}
 seconds.  After this time a cache entry will get expired even if it has
 been accessed recently.  The default are 2 hours (7200 seconds).
 
+@item --enforce-passphrase-constraints
+@opindex enforce-passphrase-constraints
+Enforce the passphrase constraints by not allowing the user to bypass
+them using the ``Take it anyway'' button.
+
 @item --min-passphrase-len @var{n}
 @opindex min-passphrase-len
 Set the minimal length of a passphrase.  When entering a new passphrase
 shorter than this value a warning will be displayed.  Defaults to 8.
 
+@item --min-passphrase-nonalpha @var{n}
+@opindex min-passphrase-nonalpha
+Set the minimal number of digits or special characters required in a
+passphrase.  When entering a new passphrase with less than this number
+of digits or special characters a warning will be displayed.  Defaults
+to 1.
+
+@item --check-passphrase-pattern @var{file}
+@opindex check-passphrase-pattern
+Check the passphrase against the pattern given in @var{file}.  When
+entering a new passphrase matching one of these pattern a warning will
+be displayed. @var{file} should be an absolute filename.  The default is
+not to use any pattern file. 
+
+Security note: It is known that checking a passphrase against a list of
+pattern or even against a complete dictionary is not very effective to
+enforce good passphrases.  Users will soon figure up ways to bypass such
+a policy.  A better policy is to educate users on good security
+behavior and optional to run a passphrase cracker regularly on all
+users passphrases t catch the very simple ones.
+
+
 @item --pinentry-program @var{filename}
 @opindex pinentry-program
 Use program @var{filename} as the PIN entry.  The default is installation