1 User-Visible krb5-strength Changes
3 krb5-strength 3.3 (2023-12-25)
5 heimdal-history now requires the Perl modules Const::Fast and
6 JSON::MaybeXS instead of Readonly and JSON.
8 Increase hash iterations for heimdal-history by about 10% to maintain
9 the time required for a password hash at about 0.1 seconds on not
10 horribly modern hardware. This will affect newly-stored history
11 entries but will not invalidate existing password history entries.
13 Explicitly erase the copy of the password made in the Heimdal plugin
14 before freeing memory.
16 Add a spec file for building RPMs, contributed by Daria Phoebe
19 Update to rra-c-util 10.5:
21 * Assume a working snprintf rather than supplying a replacement.
22 * Fix detection of reallocarray on NetBSD.
23 * Check that Kerberos header files were found during configure.
24 * Use AS_ECHO in all Autoconf macros.
25 * Always use lib32 or lib64 if it exists, even on Debian.
26 * Fix rejection of unknown Clang warning flags.
27 * Disable -Wreserved-identifier for Clang warning builds.
29 krb5-strength 3.2 (2020-05-17)
31 Add new -c (--check-only) option to heimdal-history to check whether a
32 password would be accepted without updating the history or password
33 length databases. Based on work by macrotex.
35 Increase hash iterations for heimdal-history by roughly a factor of
36 four to increase the time required for a password hash to about 0.1
37 seconds on modern hardware. This will affect newly-stored history
38 entries but will not invalidate existing password history entries.
40 Support building without CrackLib support by passing
41 --without-cracklib to configure. This makes the code a bit simpler
42 and lighter if you don't intend to ever use the CrackLib support.
44 krb5-strength-wordlist now requires Perl 5.010 or later.
46 Use explicit_bzero instead of memset, where available, to overwrite
47 copies of passwords before freeing memory. This reduces the lifetime
48 of passwords in memory.
50 Skip tests that require the stronger rule configuration in the
51 embedded CrackLib when built against system CrackLib. This avoids
52 test failures when built with system CrackLib.
54 Rework the check-valgrind target to use the new C TAP Harness valgrind
55 support and automatically check the valgrind log files for errors at
56 the end of the test suite.
58 Add SPDX-License-Identifier headers to all substantial source files
59 other than those in the bundled version of CrackLib.
61 Update to rra-c-util 8.2:
63 * Implement explicit_bzero with memset if it is not available.
64 * Reformat all C source using clang-format 10.
65 * Work around Test::Strict not skipping .git directories.
66 * Fix warnings with perltidy 20190601 and Perl::Critic 1.134.
67 * Improve check for obsolete strings.
68 * Use a more standard all-permissive license.
69 * Add SPDX-License-Identifier headers to all substantial source files.
70 * Skip more build system files when running the test suite.
71 * Fix warnings with Clang 10, GCC 10, and the Clang static analyzer.
72 * Exclude more valgrind false positives with Kerberos libraries.
73 * Improve support for AIX's bundled Kerberos.
75 Update to C TAP Harness 4.7:
77 * Fix warnings with GCC 10.
78 * Reformat all C source using clang-format 10.
79 * Fixed malloc error checking in bstrndup.
80 * Add support for valgrind testing via test list options.
81 * Report test failures as left and right, not wanted and seen.
82 * Fix is_string comparisons involving NULL pointers and "(null)".
83 * Add SPDX-License-Identifier headers to all substantial source files.
85 krb5-strength 3.1 (2016-12-25)
87 A new configuration option, cracklib_maxlen, can be set to skip
88 CrackLib checks of passwords longer than that length. The CrackLib
89 rules were designed in a world in which most passwords were four to
90 eight characters long and tend to spuriously reject longer passwords.
91 SQLite dictionaries work better for checking longer passwords and
92 passphrases. Patch from Jorj Bauer.
94 The require_classes configuration option can now require a particular
95 number of character classes in the password (whatever those classes
96 are). Patch from Toby Blake.
98 Change the error messages returned for passwords that fail strength
99 checking to start with a capital letter. This appears to be more
100 consistent with the error message conventions used inside Heimdal.
102 Change the DB_File::Lock calling method in heimdal-history to work
103 properly with the (buggy) CPAN version of DB_File::Lock, instead of
104 relying on Debian's patched version. Thanks to Bernt Jernberg for the
107 Apply the SuSE patch for a buffer overflow when using duplicate rules
108 to the embedded CrackLib. No duplicating rules are used in the rule
109 set included with this package, and this package doesn't expose the
110 general API, so this was not exploitable, but best to close the latent
111 issue. (The other recent CrackLib vulnerability, CVE-2016-6318,
112 doesn't apply since all the GECOS manipulation code was removed from
113 the embedded CrackLib in this package.)
115 Patch the mkdict and packer in the embedded copy of CrackLib to force
116 C locale when sorting (avoiding a corrupted dictionary) and warn and
117 skip out-of-order words rather than creating a corrupted dictionary.
118 Patch from Mark Sirota.
120 Configuration instrutions are now in the heimdal-history and
121 heimdal-strength man pages and a new krb5-strength man page (which
122 documents configuration of the KDC plugin) instead of the README file
123 to make it more accessible after the software has been installed.
125 Update to rra-c-util 6.2:
127 * Use calloc in preference to malloc wherever appropriate.
128 * Use reallocarray in preference to realloc wherever appropriate.
129 * Suppress warnings from Kerberos headers under make warnings.
130 * Support the embedded Kerberos in Solaris 10 in library probes.
131 * Add missing va_end in xasprintf implementation.
132 * Fix logic in Test::RRA::Automake for new Automake dist checking.
133 * Fix all return-value checks for snprintf to avoid off-by-one error.
134 * Update warning flags for make warnings to GCC 6.1.0.
135 * Fix Test::RRA::Config for new "do" semantics in Perl 5.22.2.
136 * Add a new test for obsolete eyrie.org URLs.
137 * Require Test::Strict 0.25 or newer for Perl strictness checks.
139 Update to C TAP Harness 4.1:
141 * Replace all remaining uses of sprintf.
142 * Test lists may now have comments and blank lines.
143 * runtests -v will show the complete output from a test.
144 * Fix segfault in runtests when given an empty test list.
145 * Tests use C_TAP_SOURCE and C_TAP_BUILD instead of SOURCE and BUILD.
147 krb5-strength 3.0 (2014-03-25)
149 The krb5-strength plugin and heimdal-strength program now support a
150 SQLite password dictionary. This format of dictionary can detect any
151 password within edit distance one of a dictionary word, meaning that
152 the dictionary word can be formed by adding, removing, or changing a
153 single character in the password. A SQLite password dictionary can be
154 used alone or in combination with any of the other supported
155 dictionary types. SQLite dictionary support is based on work by David
158 cdbmake-wordlist has been renamed to krb5-strength-wordlist.
159 Generating CDB dictionaries now requires the -c option; see the
160 documentation for more information. A SQLite database of dictionary
161 words can now be created instead, using the -s option.
163 A password history implementation for Heimdal is now included. This
164 is a separate Perl program, heimdal-history, that stacks with the
165 external program implementation of strength checking. It is not
166 available in the form of a plugin, only as a Heimdal external password
167 quality check. (MIT Kerberos provides its own password history
168 mechanism.) This program has more extensive Perl module dependencies
169 than the other programs in this distribution.
171 A new configuration option, minimum_different, can be set to require
172 that passwords contain at least that many unique characters. This can
173 be used to reject long strings of identical characters or short
174 patterns, which may pass other checks but still be too easy to guess.
176 Update to rra-c-util 5.4:
178 * Fix portable/krb5.h build with a C++ compiler.
179 * Use Lancaster Consensus environment variables to control tests.
180 * Work around perltidy bug that leaves behind stray log files.
182 Update to C TAP Harness 3.0:
184 * Reopen standard input to /dev/null when running a test list.
185 * Don't leak extraneous file descriptors to tests.
187 krb5-strength 2.2 (2013-12-16)
189 More complex character class requirements can be specified with the
190 configuration option require_classes. This option lists the character
191 classes the password must contain. These restrictions may be
192 qualified with password length ranges, allowing the requirements to
193 change with the length of the password. See README for more details
194 and the option syntax.
196 cdbmake-wordlist now supports filtering out words based on maximum
197 length (-L) and arbitrary user-provided regular expressions (-x). It
198 also supports running in filter mode to produce a new wordlist instead
201 Close a file descriptor and memory leak in the included version of
202 CrackLib. This problem was already fixed in CrackLib 2.9.0.
204 Update to rra-c-util 4.12:
206 * Properly check the return status of snprintf and friends.
208 Update to C TAP Harness 2.3:
210 * Suppress lazy plans and test summaries if the test failed with bail.
211 * Add warn_unused_result gcc attributes to relevant functions.
213 krb5-strength 2.1 (2013-10-10)
215 Fix the package build when CDB support is disabled or TinyCDB was not
218 Some of the password rejection error messages have been changed to
219 make them more accurate or comprehensible to the user.
221 Passing --with-tinycdb to configure now correctly makes TinyCDB
222 support mandatory without adding bogus directories to the library and
223 include search paths.
225 krb5-strength 2.0 (2013-10-07)
227 Add support for the MIT Kerberos password quality plugin interface,
228 available in MIT Kerberos 1.9 and later, contributed by Greg Hudson
229 and MIT. Drop the patch for MIT Kerberos 1.4 (and hence support for
230 versions of MIT Kerberos prior to 1.9). A dictionary path set in
231 krb5.conf takes precedence over the dictionary path provided by MIT
232 Kerberos when the plugin is initialized, if both are set, to allow the
233 dict_path configuration setting to be used for other plugins while
234 using a separate dictionary for krb5-strength.
236 The default installation path for this plugin is now
237 /usr/local/lib/krb5/plugins/pwqual/strength.so (for both MIT and
238 Heimdal), assuming a --libdir setting of /usr/local/lib. This may
239 require updates to the Kerberos KDC configuration or moving the plugin
240 when upgrading from earlier versions.
242 Add support for building with TinyCDB and then checking passwords
243 against a CDB database. There is a new password_dictionary_cdb
244 krb5.conf configuration setting that configures a CDB directory to
245 use. The tests with a CDB dictionary are much simpler: passwords are
246 rejected if found in the dictionary either literally, with one or two
247 characters removed from the start or end, or with one character
248 removed from both the start and the end. Both a CrackLib and a CDB
249 dictionary can be specified to check both dictionaries. A new
250 cdbmake-wordlist utility (written in Perl) is included to ease the
251 process of creating a CDB database from a simple word list.
253 A minimum password length can now be enforced directly via the plugin
254 or external check program without relying on CrackLib. To set a
255 minimum password length, add a minimum_length setting to the
256 krb5-strength section of [appdefaults] in krb5.conf.
258 New boolean settings require_ascii_printable and require_non_letter
259 are supported in the krb5-strength setting of [appdefaults] in
260 krb5.conf. The former rejects passwords containing characters other
261 than printable ASCII characters (including space), and the latter
262 requires that passwords contain at least one character that is not a
263 letter (upper or lower case) or a space.
265 The plugin can now be configured without a dictionary, in which case
266 only checks for a password based on the principal and the simpler
267 checks available through the new configuration variables are done.
268 This mode is mostly useful for testing, since such simple checking can
269 more easily be done via less complex password strength configurations.
271 The check for passwords based on the principal now check for passwords
272 formed by reversing or adding numbers before and after each separate
273 component of the principal. This will catch passwords based on the
274 realm or components of the realm, which will often catch passwords
275 based on the name of the local institution.
277 The plugin now sets the Kerberos error message in the context to pass
278 error information, resulting in higher-quality error reporting in the
281 CrackLib checks for passwords where a character is a simple increment
282 or decrement of the previous character. In previous versions, the
283 embedded version of CrackLib allowed at most four such occurrences in
284 the entire password. This results in false positives on long
285 passphrases, since such accidental letter relationships aren't
286 uncommon in human languages. Change the embedded CrackLib to allow
287 one such simple increment for every three characters in the password,
288 which tightens the check somewhat for shorter passwords and loosens it
289 considerably for longer passwords.
291 Expect the Heimdal password strength checking plugin header in
292 kadm5/kadm5-pwcheck.h instead of outside of the kadm5 directory. This
293 is the path used by current versions of Heimdal. Drop support for
294 older versions of Heimdal that don't install this header file.
296 Update to rra-c-util 4.9:
298 * Probe for Kerberos headers using file checks instead of compiles.
299 * Improve probe for the Heimdal libroken library.
300 * Always build with large file support.
301 * Conditionally call AM_PROG_AR for portability to new Autotools.
303 Update to C TAP Harness 2.2:
305 * Allow more easily running single programs under tests/runtests.
306 * Flush the output from the test harness after each test.
308 krb5-strength 1.1 (2012-05-11)
310 Change the minimum password length in the embedded CrackLib to 8.
312 Reject passwords formed from the username portion of the principal
313 with digits appended.
315 In the embedded CrackLib, also check for a duplicated dictionary word.
317 Support linking with the system CrackLib instead of the embedded and
318 stricter copy by passing --with-cracklib to configure.
320 Fix variable sizes in the embedded CrackLib on 64-bit platforms. This
321 may fix interoperability problems with databases created on platforms
322 with a different native integer size. Thanks, Karl Lehnberger and
325 Stop using local in the test suite for portability to Solaris /bin/sh.
327 Update to rra-c-util 4.4:
329 * Use PATH_KRB5_CONFIG to override krb5-config location.
330 * Fix probing for ibm_svc/krb5_svc.h on AIX.
331 * Support Heimdal libraries without libroken, like OpenBSD.
332 * Fix manual Kerberos library probing without transitive dependencies.
333 * Support systems that only have krb5/krb5.h.
334 * Pass --deps to krb5-config in the non-reduced-dependencies case.
335 * Silence __attribute__ warnings on more compilers.
336 * Update warning flags for make warnings.
337 * Flesh out MAINTCLEANFILES to remove autogen results.
338 * Add notices to all files copied from rra-c-util.
340 Update to C TAP Harness 1.12:
342 * Drop is_double from the C TAP library to avoid requiring -lm.
343 * Avoid using local in the shell libtap.sh library.
344 * Silence __attribute__ warnings on more compilers.
345 * runtests now frees all allocated resources on exit.
346 * Fix runtests to still honor SOURCE and -s without BUILD and -b.
347 * Add tests/HOWTO documenting how to add new tests.
348 * Ensure correct output ordering in test results.
349 * Add -h and a better usage message to tests/runtests.
351 krb5-strength 1.0 (2010-02-16)
353 Add heimdal-strength, a program that checks password strength using
354 the protocol for a Heimdal external check program.
356 The shared module now also exports the interface expected by Heimdal's
357 dynamically loaded password strength checking API and can be used as a
358 Heimdal kadmin plugin.
360 Add a new plugin API for MIT Kerberos modelled after the plugin API
361 used for other MIT Kerberos plugins. Thanks to Marcus Watts for
362 substantial research and contributions to the interface design. This
363 work is incomplete in this release, missing the corresponding patch to
366 Fixed the data format written by the included packer program to add
367 enough nul bytes at the end of the data. Previously, there was not
368 enough trailing nul bytes for the expected input format, leading to
369 uninitialized memory reads in the password lookup.
371 Add a test suite using the driver and library from C TAP Harness 1.1.
373 Add portability code for platforms without a working snprintf or other
374 deficiencies and updated the code to take advantage of those
377 krb5-strength 0.5 (2007-07-18)
379 The check of the password against the principal checked against the
380 fully-qualified principal, which is not the usual problem.
381 Additionally check that the password doesn't match the principal with
382 the realm removed or the reverse of that (case-insensitive).
384 krb5-strength 0.4 (2007-03-28)
386 The patches directory was omitted from the distribution. Really
389 krb5-strength 0.3 (2007-03-23)
391 Initial public release. Includes a patch for MIT Kerberos, a slightly
392 modified version of CrackLib, and glue wrapped around CrackLib to make