User-Visible krb5-strength Changes
-krb5-strength 2.0 (unreleased)
+krb5-strength 3.0 (2014-03-25)
+
+ The krb5-strength plugin and heimdal-strength program now support a
+ SQLite password dictionary. This format of dictionary can detect any
+ password within edit distance one of a dictionary word, meaning that
+ the dictionary word can be formed by adding, removing, or changing a
+ single character in the password. A SQLite password dictionary can be
+ used alone or in combination with any of the other supported
+ dictionary types. SQLite dictionary support is based on work by David
+ Mazières.
+
+ cdbmake-wordlist has been renamed to krb5-strength-wordlist.
+ Generating CDB dictionaries now requires the -c option; see the
+ documentation for more information. A SQLite database of dictionary
+ words can now be created instead, using the -s option.
+
+ A password history implementation for Heimdal is now included. This
+ is a separate Perl program, heimdal-history, that stacks with the
+ external program implementation of strength checking. It is not
+ available in the form of a plugin, only as a Heimdal external password
+ quality check. (MIT Kerberos provides its own password history
+ mechanism.) This program has more extensive Perl module dependencies
+ than the other programs in this distribution.
+
+ A new configuration option, minimum_different, can be set to require
+ that passwords contain at least that many unique characters. This can
+ be used to reject long strings of identical characters or short
+ patterns, which may pass other checks but still be too easy to guess.
+
+ Update to rra-c-util 5.4:
+
+ * Fix portable/krb5.h build with a C++ compiler.
+ * Use Lancaster Consensus environment variables to control tests.
+ * Work around perltidy bug that leaves behind stray log files.
+
+ Update to C TAP Harness 3.0:
+
+ * Reopen standard input to /dev/null when running a test list.
+ * Don't leak extraneous file descriptors to tests.
+
+krb5-strength 2.2 (2013-12-16)
+
+ More complex character class requirements can be specified with the
+ configuration option require_classes. This option lists the character
+ classes the password must contain. These restrictions may be
+ qualified with password length ranges, allowing the requirements to
+ change with the length of the password. See README for more details
+ and the option syntax.
+
+ cdbmake-wordlist now supports filtering out words based on maximum
+ length (-L) and arbitrary user-provided regular expressions (-x). It
+ also supports running in filter mode to produce a new wordlist instead
+ of a CDB file (-o).
+
+ Close a file descriptor and memory leak in the included version of
+ CrackLib. This problem was already fixed in CrackLib 2.9.0.
+
+ Update to rra-c-util 4.12:
+
+ * Properly check the return status of snprintf and friends.
+
+ Update to C TAP Harness 2.3:
+
+ * Suppress lazy plans and test summaries if the test failed with bail.
+ * Add warn_unused_result gcc attributes to relevant functions.
+
+krb5-strength 2.1 (2013-10-10)
+
+ Fix the package build when CDB support is disabled or TinyCDB was not
+ found.
+
+ Some of the password rejection error messages have been changed to
+ make them more accurate or comprehensible to the user.
+
+ Passing --with-tinycdb to configure now correctly makes TinyCDB
+ support mandatory without adding bogus directories to the library and
+ include search paths.
+
+krb5-strength 2.0 (2013-10-07)
Add support for the MIT Kerberos password quality plugin interface,
available in MIT Kerberos 1.9 and later, contributed by Greg Hudson
and MIT. Drop the patch for MIT Kerberos 1.4 (and hence support for
- versions of MIT Kerberos prior to 1.9).
+ versions of MIT Kerberos prior to 1.9). A dictionary path set in
+ krb5.conf takes precedence over the dictionary path provided by MIT
+ Kerberos when the plugin is initialized, if both are set, to allow the
+ dict_path configuration setting to be used for other plugins while
+ using a separate dictionary for krb5-strength.
+
+ The default installation path for this plugin is now
+ /usr/local/lib/krb5/plugins/pwqual/strength.so (for both MIT and
+ Heimdal), assuming a --libdir setting of /usr/local/lib. This may
+ require updates to the Kerberos KDC configuration or moving the plugin
+ when upgrading from earlier versions.
Add support for building with TinyCDB and then checking passwords
against a CDB database. There is a new password_dictionary_cdb
minimum password length, add a minimum_length setting to the
krb5-strength section of [appdefaults] in krb5.conf.
+ New boolean settings require_ascii_printable and require_non_letter
+ are supported in the krb5-strength setting of [appdefaults] in
+ krb5.conf. The former rejects passwords containing characters other
+ than printable ASCII characters (including space), and the latter
+ requires that passwords contain at least one character that is not a
+ letter (upper or lower case) or a space.
+
+ The plugin can now be configured without a dictionary, in which case
+ only checks for a password based on the principal and the simpler
+ checks available through the new configuration variables are done.
+ This mode is mostly useful for testing, since such simple checking can
+ more easily be done via less complex password strength configurations.
+
+ The check for passwords based on the principal now check for passwords
+ formed by reversing or adding numbers before and after each separate
+ component of the principal. This will catch passwords based on the
+ realm or components of the realm, which will often catch passwords
+ based on the name of the local institution.
+
The plugin now sets the Kerberos error message in the context to pass
error information, resulting in higher-quality error reporting in the
MIT Kerberos plugin.
Expect the Heimdal password strength checking plugin header in
kadm5/kadm5-pwcheck.h instead of outside of the kadm5 directory. This
- is the path used by current versions of Heimdal.
+ is the path used by current versions of Heimdal. Drop support for
+ older versions of Heimdal that don't install this header file.
Update to rra-c-util 4.9:
projects / kerberos / krb5-strength.git / blobdiff