1 User-Visible krb5-strength Changes
3 krb5-strength 2.0 (unreleased)
5 Add support for the MIT Kerberos password quality plugin interface,
6 available in MIT Kerberos 1.9 and later, contributed by Greg Hudson
7 and MIT. Drop the patch for MIT Kerberos 1.4 (and hence support for
8 versions of MIT Kerberos prior to 1.9). A dictionary path set in
9 krb5.conf takes precedence over the dictionary path provided by MIT
10 Kerberos when the plugin is initialized, if both are set, to allow the
11 dict_path configuration setting to be used for other plugins while
12 using a separate dictionary for krb5-strength.
14 The default installation path for this plugin is now
15 /usr/local/lib/krb5/plugins/pwqual/strength.so (for both MIT and
16 Heimdal), assuming a --libdir setting of /usr/local/lib. This may
17 require updates to the Kerberos KDC configuration or moving the plugin
18 when upgrading from earlier versions.
20 Add support for building with TinyCDB and then checking passwords
21 against a CDB database. There is a new password_dictionary_cdb
22 krb5.conf configuration setting that configures a CDB directory to
23 use. The tests with a CDB dictionary are much simpler: passwords are
24 rejected if found in the dictionary either literally, with one or two
25 characters removed from the start or end, or with one character
26 removed from both the start and the end. Both a CrackLib and a CDB
27 dictionary can be specified to check both dictionaries. A new
28 cdbmake-wordlist utility (written in Perl) is included to ease the
29 process of creating a CDB database from a simple word list.
31 A minimum password length can now be enforced directly via the plugin
32 or external check program without relying on CrackLib. To set a
33 minimum password length, add a minimum_length setting to the
34 krb5-strength section of [appdefaults] in krb5.conf.
36 New boolean settings require_ascii_printable and require_non_letter
37 are supported in the krb5-strength setting of [appdefaults] in
38 krb5.conf. The former rejects passwords containing characters other
39 than printable ASCII characters (including space), and the latter
40 requires that passwords contain at least one character that is not a
41 letter (upper or lower case) or a space.
43 The plugin can now be configured without a dictionary, in which case
44 only the simpler checks available through the new configuration
45 variables are done. This mode is mostly useful for testing, since
46 such simple checking can more easily be done via less complex password
47 strength configurations.
49 The plugin now sets the Kerberos error message in the context to pass
50 error information, resulting in higher-quality error reporting in the
53 CrackLib checks for passwords where a character is a simple increment
54 or decrement of the previous character. In previous versions, the
55 embedded version of CrackLib allowed at most four such occurrences in
56 the entire password. This results in false positives on long
57 passphrases, since such accidental letter relationships aren't
58 uncommon in human languages. Change the embedded CrackLib to allow
59 one such simple increment for every three characters in the password,
60 which tightens the check somewhat for shorter passwords and loosens it
61 considerably for longer passwords.
63 Expect the Heimdal password strength checking plugin header in
64 kadm5/kadm5-pwcheck.h instead of outside of the kadm5 directory. This
65 is the path used by current versions of Heimdal. Drop support for
66 older versions of Heimdal that don't install this header file.
68 Update to rra-c-util 4.9:
70 * Probe for Kerberos headers using file checks instead of compiles.
71 * Improve probe for the Heimdal libroken library.
72 * Always build with large file support.
73 * Conditionally call AM_PROG_AR for portability to new Autotools.
75 Update to C TAP Harness 2.2:
77 * Allow more easily running single programs under tests/runtests.
78 * Flush the output from the test harness after each test.
80 krb5-strength 1.1 (2012-05-11)
82 Change the minimum password length in the embedded CrackLib to 8.
84 Reject passwords formed from the username portion of the principal
87 In the embedded CrackLib, also check for a duplicated dictionary word.
89 Support linking with the system CrackLib instead of the embedded and
90 stricter copy by passing --with-cracklib to configure.
92 Fix variable sizes in the embedded CrackLib on 64-bit platforms. This
93 may fix interoperability problems with databases created on platforms
94 with a different native integer size. Thanks, Karl Lehnberger and
97 Stop using local in the test suite for portability to Solaris /bin/sh.
99 Update to rra-c-util 4.4:
101 * Use PATH_KRB5_CONFIG to override krb5-config location.
102 * Fix probing for ibm_svc/krb5_svc.h on AIX.
103 * Support Heimdal libraries without libroken, like OpenBSD.
104 * Fix manual Kerberos library probing without transitive dependencies.
105 * Support systems that only have krb5/krb5.h.
106 * Pass --deps to krb5-config in the non-reduced-dependencies case.
107 * Silence __attribute__ warnings on more compilers.
108 * Update warning flags for make warnings.
109 * Flesh out MAINTCLEANFILES to remove autogen results.
110 * Add notices to all files copied from rra-c-util.
112 Update to C TAP Harness 1.12:
114 * Drop is_double from the C TAP library to avoid requiring -lm.
115 * Avoid using local in the shell libtap.sh library.
116 * Silence __attribute__ warnings on more compilers.
117 * runtests now frees all allocated resources on exit.
118 * Fix runtests to still honor SOURCE and -s without BUILD and -b.
119 * Add tests/HOWTO documenting how to add new tests.
120 * Ensure correct output ordering in test results.
121 * Add -h and a better usage message to tests/runtests.
123 krb5-strength 1.0 (2010-02-16)
125 Add heimdal-strength, a program that checks password strength using
126 the protocol for a Heimdal external check program.
128 The shared module now also exports the interface expected by Heimdal's
129 dynamically loaded password strength checking API and can be used as a
130 Heimdal kadmin plugin.
132 Add a new plugin API for MIT Kerberos modelled after the plugin API
133 used for other MIT Kerberos plugins. Thanks to Marcus Watts for
134 substantial research and contributions to the interface design. This
135 work is incomplete in this release, missing the corresponding patch to
138 Fixed the data format written by the included packer program to add
139 enough nul bytes at the end of the data. Previously, there was not
140 enough trailing nul bytes for the expected input format, leading to
141 uninitialized memory reads in the password lookup.
143 Add a test suite using the driver and library from C TAP Harness 1.1.
145 Add portability code for platforms without a working snprintf or other
146 deficiencies and updated the code to take advantage of those
149 krb5-strength 0.5 (2007-07-18)
151 The check of the password against the principal checked against the
152 fully-qualified principal, which is not the usual problem.
153 Additionally check that the password doesn't match the principal with
154 the realm removed or the reverse of that (case-insensitive).
156 krb5-strength 0.4 (2007-03-28)
158 The patches directory was omitted from the distribution. Really
161 krb5-strength 0.3 (2007-03-23)
163 Initial public release. Includes a patch for MIT Kerberos, a slightly
164 modified version of CrackLib, and glue wrapped around CrackLib to make