- omits from the link line all the libraries included solely because the
- Kerberos libraries depend on them and instead links the programs only
- against libraries whose APIs are called directly. This will only work
- with shared Kerberos libraries and will only work on platforms where
- shared libraries properly encode their own dependencies (such as Linux).
- It is intended primarily for building packages for Linux distributions
- to avoid encoding unnecessary shared library dependencies that make
- shared library migrations more difficult. If none of the above made any
- sense to you, don't bother with this flag.
-
-CONFIGURATION
-
- First, build and install a CrackLib dictionary as described above. This
- dictionary will consist of three files, one each ending in *.hwm, *.pwd,
- and *.pwi. Install those files somewhere on your system. Then, follow
- the relevant instructions below for either Heimdal or MIT Kerberos.
-
- Heimdal
-
- There are two options: using an external password check program, or
- using the plugin. I recommend the external password check program
- unless you encounter speed problems with that approach that cause
- kpasswd to time out.
-
- For either approach, first add a stanza like the following to the
- [appdefaults] section of your /etc/krb5.conf (or wherever your krb5.conf
- file is located):
-
- krb5-strength = {
- password_dictionary = /usr/local/lib/kadmind/dictionary
- }
-
- The provided path should be the full path to the dictionary files,
- omitting the trailing *.hwm, *.pwd, and *.pwi extensions.
-
- Then, for the external password checking program, add a new section (or
- modify the existing [password_quality] section) to look like the
- following:
-
- [password_quality]
- policies = external-check
- external_program = /usr/local/bin/heimdal-strength
-
- You can, of course, combine this policy with others. Replace the path
- with the full path to wherever you have installed heimdal-strength. You
- can put this section in your kdc.conf instead of krb5.conf if you
- prefer.
-
- If you want to instead use the module, use the following section
- instead:
-
- [password_quality]
- policies = krb5-strength
- policy_libraries = /usr/local/lib/kadmind/passwd_strength.so
-
- in either krb5.conf or kdc.conf. Note that some versions of Heimdal
- have a bug in the support for loading modules when policy_libraries is
- set. If you get an error like:
-
- didn't find `kadm5_password_verifier' symbol in `(null)'
-
- you may have to omit policy_libraries in your configuration and instead
- pass the --check-library argument to kpasswdd specifying the library to
- load.
-
- MIT Kerberos
-
- In the [realms] section of your kdc.conf, under the appropriate realm or
- realms, specify the path to the dictionary:
-
- dict_file = /path/to/cracklib/dictionary
-
- The provided path should be the full path to the dictionary files,
- omitting the trailing *.hwm, *.pwd, or *.pwi extension. Then, specify
- the path to the plugin by adding:
-
- pwcheck_plugin = /usr/local/lib/kadmind/passwd_strength.so
-
- to the same section of the kdc.conf, giving the correct full path to the
- plugin. Restart kadmind and password strength checking should be
- enabled.
-
- Be aware that, for MIT Kerberos, password strength checking is only
- applied to principals with a policy set. If you want to check all user
- passwords, assign all user principals a password policy. (Similarly,
- you can avoid checking the strength of passwords for particular
- principals by clearing their policy.) Also be aware that enabling this
- plugin will disable the normal kadmind dictionary check. There
- currently is no way to have them both enabled at the same time.
-
- Finally, note that the default rules of this plugin will reject the
- temporary password used by addprinc -randkey or ktadd -randkey when
- initializing a principal. When generating service principals using that
- flag, you will need to pass in the -clearpolicy flag as well to avoid
- rejecting the initial temporary password. You can then add a policy
- later with modprinc if desired.
+ omits from the link line all the libraries included solely because other
+ libraries depend on them and instead links the programs only against
+ libraries whose APIs are called directly. This will only work with
+ shared libraries and will only work on platforms where shared libraries
+ properly encode their own dependencies (this includes most modern
+ platforms such as all Linux). It is intended primarily for building
+ packages for Linux distributions to avoid encoding unnecessary shared
+ library dependencies that make shared library migrations more difficult.
+ If none of the above made any sense to you, don't bother with this flag.
+
+ After installing this software, see the man pages for krb5-strength,
+ heimdal-strength, and heimdal-history for configuration information.
+
+TESTING
+
+ krb5-strength comes with a test suite, which you can run after building
+ with:
+
+ make check
+
+ If a test fails, you can run a single test with verbose output via:
+
+ tests/runtests -o <name-of-test>
+
+ Do this instead of running the test program directly since it will
+ ensure that necessary environment variables are set up.
+
+ To run the test suite, you will need Perl 5.010 or later and the
+ dependencies of the heimdal-history program. The following additional
+ Perl modules will also be used by the test suite if present:
+
+ * Perl6::Slurp
+ * Test::MinimumVersion
+ * Test::Perl::Critic
+ * Test::Pod
+ * Test::Spelling
+ * Test::Strict
+
+ All are available on CPAN. Some tests will be skipped if the modules
+ are not available.
+
+ To enable tests that don't detect functionality problems but are used to
+ sanity-check the release, set the environment variable RELEASE_TESTING
+ to a true value. To enable tests that may be sensitive to the local
+ environment or that produce a lot of false positives without uncovering
+ many problems, set the environment variable AUTHOR_TESTING to a true
+ value.
+
+SUPPORT
+
+ The krb5-strength web page at:
+
+ https://www.eyrie.org/~eagle/software/krb5-strength/
+
+ will always have the current version of this package, the current
+ documentation, and pointers to any additional resources.
+
+ For bug tracking, use the issue tracker on GitHub:
+
+ https://github.com/rra/krb5-strength/issues
+
+ However, please be aware that I tend to be extremely busy and work
+ projects often take priority. I'll save your report and get to it as
+ soon as I can, but it may take me a couple of months.
+
+SOURCE REPOSITORY
+
+ krb5-strength is maintained using Git. You can access the current
+ source on GitHub at:
+
+ https://github.com/rra/krb5-strength
+
+ or by cloning the repository at:
+
+ https://git.eyrie.org/git/kerberos/krb5-strength.git
+
+ or view the repository via the web at:
+
+ https://git.eyrie.org/?p=kerberos/krb5-strength.git
+
+ The eyrie.org repository is the canonical one, maintained by the author,
+ but using GitHub is probably more convenient for most purposes. Pull
+ requests are gratefully reviewed and normally accepted.
+
+LICENSE
+
+ The krb5-strength package as a whole is covered by the following
+ copyright statement and license:
+
+ Copyright 2016, 2020 Russ Allbery <eagle@eyrie.org>
+ Copyright 2006-2007, 2009-2010, 2012-2014
+ The Board of Trustees of the Leland Stanford Junior University
+ Copyright 1993 Alec Muffett
+
+ Permission is hereby granted, free of charge, to any person obtaining
+ a copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+ Developed by Daria Phoebe Brashear and Ken Hornstein of Sine Nomine
+ Associates, on behalf of Stanford University.
+
+ The embedded version of CrackLib (all files in the cracklib
+ subdirectory) is covered by the Artistic license. See the file
+ cracklib/LICENCE for more information. Combined derivative works that
+ include this code, such as binaries built with the embedded CrackLib,
+ will need to follow the terms of the Artistic license as well as the
+ above license.
+
+ Some files in this distribution are individually released under
+ different licenses, all of which are compatible with the above general
+ package license but which may require preservation of additional
+ notices. All required notices, and detailed information about the
+ licensing of each file, are recorded in the LICENSE file.
+
+ Files covered by a license with an assigned SPDX License Identifier
+ include SPDX-License-Identifier tags to enable automated processing of
+ license information. See https://spdx.org/licenses/ for more
+ information.
+
+ For any copyright range specified by files in this package as YYYY-ZZZZ,
+ the range specifies every single year in that closed interval.