New upstream version 3.2

[kerberos/krb5-strength.git] / tools / heimdal-strength.1

.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "HEIMDAL-STRENGTH 1"
.TH HEIMDAL-STRENGTH 1 "2020-05-17" "3.2" "krb5-strength"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
heimdal\-strength \- Heimdal password quality check embedding CrackLib
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBheimdal-strength\fR [\fIprincipal\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBheimdal-strength\fR is an external password quality check program for
Heimdal that verifies the strength of a password.  Passwords can be tested
with CrackLib, checked against a \s-1CDB\s0 database of known weak passwords,
checked for length, checked for non-printable or non-ASCII characters that
may be difficult to enter reproducibly, required to contain particular
character classes, or any combination of these tests.  It is normally run
via \fBkpasswdd\fR\|(8) using the Heimdal password quality check interface rather
than directly.
.PP
To use this program, it must be configured in \fIkrb5.conf\fR via settings
in \f(CW\*(C`[appdefaults]\*(C'\fR for the application name \f(CW\*(C`krb5\-strength\*(C'\fR.  A typical
setting would be:
.PP
.Vb 3
\&    krb5\-strength = {
\&        password_dictionary = /usr/local/lib/kadmind/dictionary
\&    }
.Ve
.PP
which says to check passwords with CrackLib using the given path as the
base path of the CrackLib dictionary.  See \*(L"\s-1CONFIGURATION\*(R"\s0 below for
details on the supported configuration options.
.PP
\&\fBheimdal-strength\fR then expects the Heimdal password quality check
information on standard input, specifically:
.PP
.Vb 3
\&    principal: <principal>
\&    new\-password: <password>
\&    end
.Ve
.PP
where <principal> is the principal whose password would be changed and
<password> is the new password.  If the password appears to be strong, it
prints \f(CW\*(C`APPROVED\*(C'\fR on standard output and exits with a status of 0.  If
the password is rejected as being too weak, it will print the reason for
rejecting the password on standard error and exit with a status of 0.  If
some fatal error occurs, it will print that error to standard error and
exit with a non-zero status.
.SH "CONFIGURATION"
.IX Header "CONFIGURATION"
The following \fIkrb5.conf\fR configuration options are supported:
.IP "cracklib_maxlen" 4
.IX Item "cracklib_maxlen"
Normally, all passwords are checked with CrackLib if a CrackLib dictionary
is defined.  However, CrackLib's rules were designed for a world in which
most passwords were four to eight characters long, and tends to spuriously
reject a lot of passphrases.  If this option is set to something other
than its default of 0, passwords longer than that length bypass CrackLib
checks.  (Using a SQLite dictionary for longer passwords is strongly
recommended.)
.IP "minimum_different" 4
.IX Item "minimum_different"
If set to a numeric value, passwords with fewer than this number of unique
characters will be rejected.  This can be used to reject, for example,
passwords that are long strings of the same character or repetitions of
small numbers of characters, which may be too easy to guess.
.IP "minimum_length" 4
.IX Item "minimum_length"
If set to a numeric value, passwords with fewer than that number of
characters will be rejected, independent of any length restrictions in
CrackLib.  Note that this setting does not bypass the minimum length
requirements in CrackLib itself.
.IP "password_dictionary" 4
.IX Item "password_dictionary"
Specifies the base path to a CrackLib dictionary and enables password
strength testing using CrackLib.  The provided path should be the full
path to the dictionary files, omitting the trailing \fI*.hwm\fR, \fI*.pwd\fR,
and \fI*.pwi\fR extensions for the CrackLib dictionary.
.IP "password_dictionary_cdb" 4
.IX Item "password_dictionary_cdb"
Specifies the base path to a \s-1CDB\s0 dictionary and enables \s-1CDB\s0 password
dictionary lookups.  The path must point to a CDB-format database whose
keys are the known passwords or dictionary words.  The values are ignored.
You can use the \fBkrb5\-strength\-wordlist\fR utility to generate the \s-1CDB\s0
database from a word list.
.Sp
The \s-1CDB\s0 dictionary lookups do not do the complex password mangling that
CrackLib does.  Instead, the password itself will be checked against the
dictionary, and then variations of the password formed by removing the
first character, the last character, the first and last characters, the
first two characters, and the last two characters.  If any of these
strings are found in the \s-1CDB\s0 database, the password will be rejected;
otherwise, it will be accepted, at least by this check.
.Sp
A CrackLib dictionary, a \s-1CDB\s0 dictionary, and a SQLite dictionary may all
be configured at the same time or in any combination, in which case
CrackLib will be run first, followed by \s-1CDB\s0 and then SQLite as
appropriate.
.IP "password_dictionary_sqlite" 4
.IX Item "password_dictionary_sqlite"
Specifies the base path to a SQLite dictionary and enables SQLite password
dictionary lookups.  The path must point to a SQLite 3 database with a
table named \f(CW\*(C`passwords\*(C'\fR.  This table should have two columns, \f(CW\*(C`password\*(C'\fR
and \f(CW\*(C`drowssap\*(C'\fR, which, for each dictionary word, holds the word and the
reversed form of the word.  You can use the \fBkrb5\-strength\-wordlist\fR
utility to generate the SQLite database from a word list.
.Sp
The SQLite dictionary lookups do not do the complex password mangling that
CrackLib does, but they will detect and reject any password that is within
edit distance one of a word in the dictionary, meaning that the dictionary
word can be formed from the password by adding, deleting, or modifying a
single character.
.Sp
A CrackLib dictionary, a \s-1CDB\s0 dictionary, and a SQLite dictionary may all
be configured at the same time or in any combination, in which case
CrackLib will be run first, followed by \s-1CDB\s0 and then SQLite as
appropriate.
.IP "require_ascii_printable" 4
.IX Item "require_ascii_printable"
If set to a true boolean value, rejects any password that contains
non-ASCII characters or \s-1ASCII\s0 control characters.  Spaces are allowed;
tabs are not (at least assuming the \s-1POSIX C\s0 locale).  No canonicalization
or character set is defined for Kerberos passwords in general, so you may
want to reject non-ASCII characters to avoid interoperability problems
with computers with different default character sets or Unicode
normalization forms.
.IP "require_classes" 4
.IX Item "require_classes"
This option allows specification of more complex character class
requirements.  The value of this parameter should be one or more
whitespace-separated rule.  Each rule has the syntax:
.Sp
.Vb 1
\&    [<min>\-<max>:]<class>[,<class>...]
.Ve
.Sp
where <class> is one of \f(CW\*(C`upper\*(C'\fR, \f(CW\*(C`lower\*(C'\fR, \f(CW\*(C`digit\*(C'\fR, or \f(CW\*(C`symbol\*(C'\fR.  The
symbol class includes all characters other than alphanumeric characters,
including space.  The listed classes must appear in the password.
Separate multiple required classes with a comma (and no space).
.Sp
The character class checks will be done in whatever locale the plugin or
password check program is run in, which will normally be the \s-1POSIX C\s0
locale but may be different depending on local configuration.
.Sp
A simple example:
.Sp
.Vb 1
\&    require_classes = upper,lower,digit
.Ve
.Sp
This requires all passwords contain at least one uppercase letter, at
least one lowercase letter, and at least one digit.
.Sp
If present, <min> and <max> specify the minimum password length and
maximum password length to which this rule applies.  This allows one to
specify character class requirements that change with password length.
So, for example:
.Sp
.Vb 1
\&    require_classes = 8\-19:upper,lower 8\-15:digit 8\-11:symbol
.Ve
.Sp
requires all passwords from 8 to 11 characters long contain all four
character classes, passwords from 12 to 15 characters long contain upper
and lower case and a digit, and passwords from 16 to 19 characters long
contain both upper and lower case.  Passwords longer than 20 characters
have no character class restrictions.  (This example is probably used in
conjunction with minimum_length = 8.)
.IP "require_non_letter" 4
.IX Item "require_non_letter"
If set to a true boolean value, the password must contain at least one
character that is not a letter (uppercase or lowercase) or a space.  This
may be helpful in combination with passphrases; users may choose a stock
English phrase, and this will force at least some additional complexity.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBkrb5\-strength\-wordlist\fR\|(1), \fBkadm5\-strength\fR\|(3), \fBkpasswdd\fR\|(8), \fBkrb5.conf\fR\|(5)
.PP
The \*(L"Password changing\*(R" section of the Heimdal info documentation
describes the interface that this program implements and how to configure
Heimdal to use it.
.PP
The current version of this program is available from its web page at
<https://www.eyrie.org/~eagle/software/krb5\-strength/> as part of the
krb5\-strength package.
.SH "AUTHOR"
.IX Header "AUTHOR"
Russ Allbery <eagle@eyrie.org>
.SH "COPYRIGHT AND LICENSE"
.IX Header "COPYRIGHT AND LICENSE"
Copyright 2016 Russ Allbery <eagle@eyrie.org>
.PP
Copyright 2010, 2013\-2014 The Board of Trustees of the Leland Stanford
Junior University
.PP
Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved.  This file is offered as-is, without any
warranty.
.PP
SPDX-License-Identifier: \s-1FSFAP\s0