1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
|
User-Visible krb5-strength Changes
krb5-strength 3.0 (2014-03-25)
The krb5-strength plugin and heimdal-strength program now support a
SQLite password dictionary. This format of dictionary can detect any
password within edit distance one of a dictionary word, meaning that
the dictionary word can be formed by adding, removing, or changing a
single character in the password. A SQLite password dictionary can be
used alone or in combination with any of the other supported
dictionary types. SQLite dictionary support is based on work by David
Mazières.
cdbmake-wordlist has been renamed to krb5-strength-wordlist.
Generating CDB dictionaries now requires the -c option; see the
documentation for more information. A SQLite database of dictionary
words can now be created instead, using the -s option.
A password history implementation for Heimdal is now included. This
is a separate Perl program, heimdal-history, that stacks with the
external program implementation of strength checking. It is not
available in the form of a plugin, only as a Heimdal external password
quality check. (MIT Kerberos provides its own password history
mechanism.) This program has more extensive Perl module dependencies
than the other programs in this distribution.
A new configuration option, minimum_different, can be set to require
that passwords contain at least that many unique characters. This can
be used to reject long strings of identical characters or short
patterns, which may pass other checks but still be too easy to guess.
Update to rra-c-util 5.4:
* Fix portable/krb5.h build with a C++ compiler.
* Use Lancaster Consensus environment variables to control tests.
* Work around perltidy bug that leaves behind stray log files.
Update to C TAP Harness 3.0:
* Reopen standard input to /dev/null when running a test list.
* Don't leak extraneous file descriptors to tests.
krb5-strength 2.2 (2013-12-16)
More complex character class requirements can be specified with the
configuration option require_classes. This option lists the character
classes the password must contain. These restrictions may be
qualified with password length ranges, allowing the requirements to
change with the length of the password. See README for more details
and the option syntax.
cdbmake-wordlist now supports filtering out words based on maximum
length (-L) and arbitrary user-provided regular expressions (-x). It
also supports running in filter mode to produce a new wordlist instead
of a CDB file (-o).
Close a file descriptor and memory leak in the included version of
CrackLib. This problem was already fixed in CrackLib 2.9.0.
Update to rra-c-util 4.12:
* Properly check the return status of snprintf and friends.
Update to C TAP Harness 2.3:
* Suppress lazy plans and test summaries if the test failed with bail.
* Add warn_unused_result gcc attributes to relevant functions.
krb5-strength 2.1 (2013-10-10)
Fix the package build when CDB support is disabled or TinyCDB was not
found.
Some of the password rejection error messages have been changed to
make them more accurate or comprehensible to the user.
Passing --with-tinycdb to configure now correctly makes TinyCDB
support mandatory without adding bogus directories to the library and
include search paths.
krb5-strength 2.0 (2013-10-07)
Add support for the MIT Kerberos password quality plugin interface,
available in MIT Kerberos 1.9 and later, contributed by Greg Hudson
and MIT. Drop the patch for MIT Kerberos 1.4 (and hence support for
versions of MIT Kerberos prior to 1.9). A dictionary path set in
krb5.conf takes precedence over the dictionary path provided by MIT
Kerberos when the plugin is initialized, if both are set, to allow the
dict_path configuration setting to be used for other plugins while
using a separate dictionary for krb5-strength.
The default installation path for this plugin is now
/usr/local/lib/krb5/plugins/pwqual/strength.so (for both MIT and
Heimdal), assuming a --libdir setting of /usr/local/lib. This may
require updates to the Kerberos KDC configuration or moving the plugin
when upgrading from earlier versions.
Add support for building with TinyCDB and then checking passwords
against a CDB database. There is a new password_dictionary_cdb
krb5.conf configuration setting that configures a CDB directory to
use. The tests with a CDB dictionary are much simpler: passwords are
rejected if found in the dictionary either literally, with one or two
characters removed from the start or end, or with one character
removed from both the start and the end. Both a CrackLib and a CDB
dictionary can be specified to check both dictionaries. A new
cdbmake-wordlist utility (written in Perl) is included to ease the
process of creating a CDB database from a simple word list.
A minimum password length can now be enforced directly via the plugin
or external check program without relying on CrackLib. To set a
minimum password length, add a minimum_length setting to the
krb5-strength section of [appdefaults] in krb5.conf.
New boolean settings require_ascii_printable and require_non_letter
are supported in the krb5-strength setting of [appdefaults] in
krb5.conf. The former rejects passwords containing characters other
than printable ASCII characters (including space), and the latter
requires that passwords contain at least one character that is not a
letter (upper or lower case) or a space.
The plugin can now be configured without a dictionary, in which case
only checks for a password based on the principal and the simpler
checks available through the new configuration variables are done.
This mode is mostly useful for testing, since such simple checking can
more easily be done via less complex password strength configurations.
The check for passwords based on the principal now check for passwords
formed by reversing or adding numbers before and after each separate
component of the principal. This will catch passwords based on the
realm or components of the realm, which will often catch passwords
based on the name of the local institution.
The plugin now sets the Kerberos error message in the context to pass
error information, resulting in higher-quality error reporting in the
MIT Kerberos plugin.
CrackLib checks for passwords where a character is a simple increment
or decrement of the previous character. In previous versions, the
embedded version of CrackLib allowed at most four such occurrences in
the entire password. This results in false positives on long
passphrases, since such accidental letter relationships aren't
uncommon in human languages. Change the embedded CrackLib to allow
one such simple increment for every three characters in the password,
which tightens the check somewhat for shorter passwords and loosens it
considerably for longer passwords.
Expect the Heimdal password strength checking plugin header in
kadm5/kadm5-pwcheck.h instead of outside of the kadm5 directory. This
is the path used by current versions of Heimdal. Drop support for
older versions of Heimdal that don't install this header file.
Update to rra-c-util 4.9:
* Probe for Kerberos headers using file checks instead of compiles.
* Improve probe for the Heimdal libroken library.
* Always build with large file support.
* Conditionally call AM_PROG_AR for portability to new Autotools.
Update to C TAP Harness 2.2:
* Allow more easily running single programs under tests/runtests.
* Flush the output from the test harness after each test.
krb5-strength 1.1 (2012-05-11)
Change the minimum password length in the embedded CrackLib to 8.
Reject passwords formed from the username portion of the principal
with digits appended.
In the embedded CrackLib, also check for a duplicated dictionary word.
Support linking with the system CrackLib instead of the embedded and
stricter copy by passing --with-cracklib to configure.
Fix variable sizes in the embedded CrackLib on 64-bit platforms. This
may fix interoperability problems with databases created on platforms
with a different native integer size. Thanks, Karl Lehnberger and
Benj Carson.
Stop using local in the test suite for portability to Solaris /bin/sh.
Update to rra-c-util 4.4:
* Use PATH_KRB5_CONFIG to override krb5-config location.
* Fix probing for ibm_svc/krb5_svc.h on AIX.
* Support Heimdal libraries without libroken, like OpenBSD.
* Fix manual Kerberos library probing without transitive dependencies.
* Support systems that only have krb5/krb5.h.
* Pass --deps to krb5-config in the non-reduced-dependencies case.
* Silence __attribute__ warnings on more compilers.
* Update warning flags for make warnings.
* Flesh out MAINTCLEANFILES to remove autogen results.
* Add notices to all files copied from rra-c-util.
Update to C TAP Harness 1.12:
* Drop is_double from the C TAP library to avoid requiring -lm.
* Avoid using local in the shell libtap.sh library.
* Silence __attribute__ warnings on more compilers.
* runtests now frees all allocated resources on exit.
* Fix runtests to still honor SOURCE and -s without BUILD and -b.
* Add tests/HOWTO documenting how to add new tests.
* Ensure correct output ordering in test results.
* Add -h and a better usage message to tests/runtests.
krb5-strength 1.0 (2010-02-16)
Add heimdal-strength, a program that checks password strength using
the protocol for a Heimdal external check program.
The shared module now also exports the interface expected by Heimdal's
dynamically loaded password strength checking API and can be used as a
Heimdal kadmin plugin.
Add a new plugin API for MIT Kerberos modelled after the plugin API
used for other MIT Kerberos plugins. Thanks to Marcus Watts for
substantial research and contributions to the interface design. This
work is incomplete in this release, missing the corresponding patch to
MIT Kerberos.
Fixed the data format written by the included packer program to add
enough nul bytes at the end of the data. Previously, there was not
enough trailing nul bytes for the expected input format, leading to
uninitialized memory reads in the password lookup.
Add a test suite using the driver and library from C TAP Harness 1.1.
Add portability code for platforms without a working snprintf or other
deficiencies and updated the code to take advantage of those
guarantees.
krb5-strength 0.5 (2007-07-18)
The check of the password against the principal checked against the
fully-qualified principal, which is not the usual problem.
Additionally check that the password doesn't match the principal with
the realm removed or the reverse of that (case-insensitive).
krb5-strength 0.4 (2007-03-28)
The patches directory was omitted from the distribution. Really
include it.
krb5-strength 0.3 (2007-03-23)
Initial public release. Includes a patch for MIT Kerberos, a slightly
modified version of CrackLib, and glue wrapped around CrackLib to make
a loadable module.
|
