1 User-Visible krb5-strength Changes
3 krb5-strength 3.0 (unreleased)
5 A password history implementation for Heimdal is now included. This
6 is a separate Perl program, heimdal-history, that stacks with the
7 external program implementation of strength checking. It is not
8 available in the form of a plugin, only as a Heimdal external password
9 quality check. (MIT Kerberos provides its own password history
10 mechanism.) This program has more extensive Perl module dependencies
11 than the other programs in this distribution.
13 krb5-strength 2.2 (2013-12-16)
15 More complex character class requirements can be specified with the
16 configuration option require_classes. This option lists the character
17 classes the password must contain. These restrictions may be
18 qualified with password length ranges, allowing the requirements to
19 change with the length of the password. See README for more details
20 and the option syntax.
22 cdbmake-wordlist now supports filtering out words based on maximum
23 length (-L) and arbitrary user-provided regular expressions (-x). It
24 also supports running in filter mode to produce a new wordlist instead
27 Close a file descriptor and memory leak in the included version of
28 CrackLib. This problem was already fixed in CrackLib 2.9.0.
30 Update to rra-c-util 4.12:
32 * Properly check the return status of snprintf and friends.
34 Update to C TAP Harness 2.3:
36 * Suppress lazy plans and test summaries if the test failed with bail.
37 * Add warn_unused_result gcc attributes to relevant functions.
39 krb5-strength 2.1 (2013-10-10)
41 Fix the package build when CDB support is disabled or TinyCDB was not
44 Some of the password rejection error messages have been changed to
45 make them more accurate or comprehensible to the user.
47 Passing --with-tinycdb to configure now correctly makes TinyCDB
48 support mandatory without adding bogus directories to the library and
51 krb5-strength 2.0 (2013-10-07)
53 Add support for the MIT Kerberos password quality plugin interface,
54 available in MIT Kerberos 1.9 and later, contributed by Greg Hudson
55 and MIT. Drop the patch for MIT Kerberos 1.4 (and hence support for
56 versions of MIT Kerberos prior to 1.9). A dictionary path set in
57 krb5.conf takes precedence over the dictionary path provided by MIT
58 Kerberos when the plugin is initialized, if both are set, to allow the
59 dict_path configuration setting to be used for other plugins while
60 using a separate dictionary for krb5-strength.
62 The default installation path for this plugin is now
63 /usr/local/lib/krb5/plugins/pwqual/strength.so (for both MIT and
64 Heimdal), assuming a --libdir setting of /usr/local/lib. This may
65 require updates to the Kerberos KDC configuration or moving the plugin
66 when upgrading from earlier versions.
68 Add support for building with TinyCDB and then checking passwords
69 against a CDB database. There is a new password_dictionary_cdb
70 krb5.conf configuration setting that configures a CDB directory to
71 use. The tests with a CDB dictionary are much simpler: passwords are
72 rejected if found in the dictionary either literally, with one or two
73 characters removed from the start or end, or with one character
74 removed from both the start and the end. Both a CrackLib and a CDB
75 dictionary can be specified to check both dictionaries. A new
76 cdbmake-wordlist utility (written in Perl) is included to ease the
77 process of creating a CDB database from a simple word list.
79 A minimum password length can now be enforced directly via the plugin
80 or external check program without relying on CrackLib. To set a
81 minimum password length, add a minimum_length setting to the
82 krb5-strength section of [appdefaults] in krb5.conf.
84 New boolean settings require_ascii_printable and require_non_letter
85 are supported in the krb5-strength setting of [appdefaults] in
86 krb5.conf. The former rejects passwords containing characters other
87 than printable ASCII characters (including space), and the latter
88 requires that passwords contain at least one character that is not a
89 letter (upper or lower case) or a space.
91 The plugin can now be configured without a dictionary, in which case
92 only checks for a password based on the principal and the simpler
93 checks available through the new configuration variables are done.
94 This mode is mostly useful for testing, since such simple checking can
95 more easily be done via less complex password strength configurations.
97 The check for passwords based on the principal now check for passwords
98 formed by reversing or adding numbers before and after each separate
99 component of the principal. This will catch passwords based on the
100 realm or components of the realm, which will often catch passwords
101 based on the name of the local institution.
103 The plugin now sets the Kerberos error message in the context to pass
104 error information, resulting in higher-quality error reporting in the
107 CrackLib checks for passwords where a character is a simple increment
108 or decrement of the previous character. In previous versions, the
109 embedded version of CrackLib allowed at most four such occurrences in
110 the entire password. This results in false positives on long
111 passphrases, since such accidental letter relationships aren't
112 uncommon in human languages. Change the embedded CrackLib to allow
113 one such simple increment for every three characters in the password,
114 which tightens the check somewhat for shorter passwords and loosens it
115 considerably for longer passwords.
117 Expect the Heimdal password strength checking plugin header in
118 kadm5/kadm5-pwcheck.h instead of outside of the kadm5 directory. This
119 is the path used by current versions of Heimdal. Drop support for
120 older versions of Heimdal that don't install this header file.
122 Update to rra-c-util 4.9:
124 * Probe for Kerberos headers using file checks instead of compiles.
125 * Improve probe for the Heimdal libroken library.
126 * Always build with large file support.
127 * Conditionally call AM_PROG_AR for portability to new Autotools.
129 Update to C TAP Harness 2.2:
131 * Allow more easily running single programs under tests/runtests.
132 * Flush the output from the test harness after each test.
134 krb5-strength 1.1 (2012-05-11)
136 Change the minimum password length in the embedded CrackLib to 8.
138 Reject passwords formed from the username portion of the principal
139 with digits appended.
141 In the embedded CrackLib, also check for a duplicated dictionary word.
143 Support linking with the system CrackLib instead of the embedded and
144 stricter copy by passing --with-cracklib to configure.
146 Fix variable sizes in the embedded CrackLib on 64-bit platforms. This
147 may fix interoperability problems with databases created on platforms
148 with a different native integer size. Thanks, Karl Lehnberger and
151 Stop using local in the test suite for portability to Solaris /bin/sh.
153 Update to rra-c-util 4.4:
155 * Use PATH_KRB5_CONFIG to override krb5-config location.
156 * Fix probing for ibm_svc/krb5_svc.h on AIX.
157 * Support Heimdal libraries without libroken, like OpenBSD.
158 * Fix manual Kerberos library probing without transitive dependencies.
159 * Support systems that only have krb5/krb5.h.
160 * Pass --deps to krb5-config in the non-reduced-dependencies case.
161 * Silence __attribute__ warnings on more compilers.
162 * Update warning flags for make warnings.
163 * Flesh out MAINTCLEANFILES to remove autogen results.
164 * Add notices to all files copied from rra-c-util.
166 Update to C TAP Harness 1.12:
168 * Drop is_double from the C TAP library to avoid requiring -lm.
169 * Avoid using local in the shell libtap.sh library.
170 * Silence __attribute__ warnings on more compilers.
171 * runtests now frees all allocated resources on exit.
172 * Fix runtests to still honor SOURCE and -s without BUILD and -b.
173 * Add tests/HOWTO documenting how to add new tests.
174 * Ensure correct output ordering in test results.
175 * Add -h and a better usage message to tests/runtests.
177 krb5-strength 1.0 (2010-02-16)
179 Add heimdal-strength, a program that checks password strength using
180 the protocol for a Heimdal external check program.
182 The shared module now also exports the interface expected by Heimdal's
183 dynamically loaded password strength checking API and can be used as a
184 Heimdal kadmin plugin.
186 Add a new plugin API for MIT Kerberos modelled after the plugin API
187 used for other MIT Kerberos plugins. Thanks to Marcus Watts for
188 substantial research and contributions to the interface design. This
189 work is incomplete in this release, missing the corresponding patch to
192 Fixed the data format written by the included packer program to add
193 enough nul bytes at the end of the data. Previously, there was not
194 enough trailing nul bytes for the expected input format, leading to
195 uninitialized memory reads in the password lookup.
197 Add a test suite using the driver and library from C TAP Harness 1.1.
199 Add portability code for platforms without a working snprintf or other
200 deficiencies and updated the code to take advantage of those
203 krb5-strength 0.5 (2007-07-18)
205 The check of the password against the principal checked against the
206 fully-qualified principal, which is not the usual problem.
207 Additionally check that the password doesn't match the principal with
208 the realm removed or the reverse of that (case-insensitive).
210 krb5-strength 0.4 (2007-03-28)
212 The patches directory was omitted from the distribution. Really
215 krb5-strength 0.3 (2007-03-23)
217 Initial public release. Includes a patch for MIT Kerberos, a slightly
218 modified version of CrackLib, and glue wrapped around CrackLib to make