krb5-strength for Debian
------------------------

This plugin requires a patched kadmind that loads plugins for password
strength checking.  This code will hopefully be in a future official
release of MIT Kerberos.

With that code, a sample kdc.conf file using this plugin looks like:

[realms]
    EXAMPLE.ORG = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        default_principal_flags = +preauth
        pwcheck_plugin = /usr/lib/kadmind/passwd_strength.so
        dict_file = /usr/lib/kadmind/dictionary
    }

dict_file is a prefix for the CrackLib dictionary files.  You can generate
those files using the utilities in cracklib-runtime.

You will need to have any policy apply to the principal in order for this
module to be enforced, as a result of how kadmin works.  If there is no
policy applying either by default or to the principal, password quality is
not checked.

 -- Russ Allbery <rra@debian.org>, Tue, 16 Feb 2010 21:33:37 -0800