- omits from the link line all the libraries included solely because the
- Kerberos libraries depend on them and instead links the programs only
- against libraries whose APIs are called directly. This will only work
- with shared Kerberos libraries and will only work on platforms where
- shared libraries properly encode their own dependencies (such as Linux).
- It is intended primarily for building packages for Linux distributions
- to avoid encoding unnecessary shared library dependencies that make
- shared library migrations more difficult. If none of the above made any
- sense to you, don't bother with this flag.
-
-CONFIGURATION
-
- First, build and install either a CrackLib dictionary as described in
- REQUIREMENTS above, or build a CDB dictionary with cdbmake-wordlist.
- (Or both.) The CrackLib dictionary will consist of three files, one
- each ending in *.hwm, *.pwd, and *.pwi. The CDB dictionary will consist
- of a single file ending in *.cdb. Install those files somewhere on your
- system. Then, follow the relevant instructions below for either Heimdal
- or MIT Kerberos.
-
- See "Other Settings" below for additional krb5.conf setting supported by
- both Heimdal and MIT Kerberos.
-
- Heimdal
-
- There are two options: using an external password check program, or
- using the plugin. I recommend the external password check program
- unless you encounter speed problems with that approach that cause
- kpasswd to time out.
-
- For either approach, first add a stanza like the following to the
- [appdefaults] section of your /etc/krb5.conf (or wherever your krb5.conf
- file is located):
-
- krb5-strength = {
- password_dictionary = /path/to/cracklib/dictionary
- password_dictionary_cdb = /path/to/cdb/dictionary.cdb
- }
-
- The first setting configures a CrackLib dictionary and the second a CDB
- dictionary. The provided path should be the full path to the dictionary
- files, omitting the trailing *.hwm, *.pwd, and *.pwi extensions for the
- CrackLib dictionary. You can use either or both settings. If you use
- both, CrackLib will be checked first, and then CDB.
-
- Then, for the external password checking program, add a new section (or
- modify the existing [password_quality] section) to look like the
- following:
-
- [password_quality]
- policies = external-check
- external_program = /usr/local/bin/heimdal-strength
-
- You can, of course, combine this policy with others. Replace the path
- with the full path to wherever you have installed heimdal-strength. You
- can put this section in your kdc.conf instead of krb5.conf if you
- prefer.
-
- If you want to instead use the module, use the following section
- instead:
-
- [password_quality]
- policies = krb5-strength
- policy_libraries = /usr/local/lib/krb5/plugins/pwqual/strength.so
-
- in either krb5.conf or kdc.conf. Note that some older versions of
- Heimdal have a bug in the support for loading modules when
- policy_libraries is set. If you get an error like:
-
- didn't find `kadm5_password_verifier' symbol in `(null)'
-
- you may have to omit policy_libraries in your configuration and instead
- pass the --check-library argument to kpasswdd specifying the library to
- load.
-
- MIT Kerberos
-
- To add this module to the list of password quality checks, add a section
- to krb5.conf (or to a separate kdc.conf if you use that) like:
-
- [plugins]
- pwqual = {
- module = strength:/usr/local/lib/krb5/plugins/pwqual/strength.so
- }