User-Visible krb5-strength Changes
-krb5-strength 2.0 (unreleased)
+krb5-strength 3.0 (2014-03-25)
+
+ The krb5-strength plugin and heimdal-strength program now support a
+ SQLite password dictionary. This format of dictionary can detect any
+ password within edit distance one of a dictionary word, meaning that
+ the dictionary word can be formed by adding, removing, or changing a
+ single character in the password. A SQLite password dictionary can be
+ used alone or in combination with any of the other supported
+ dictionary types. SQLite dictionary support is based on work by David
+ Mazières.
+
+ cdbmake-wordlist has been renamed to krb5-strength-wordlist.
+ Generating CDB dictionaries now requires the -c option; see the
+ documentation for more information. A SQLite database of dictionary
+ words can now be created instead, using the -s option.
+
+ A password history implementation for Heimdal is now included. This
+ is a separate Perl program, heimdal-history, that stacks with the
+ external program implementation of strength checking. It is not
+ available in the form of a plugin, only as a Heimdal external password
+ quality check. (MIT Kerberos provides its own password history
+ mechanism.) This program has more extensive Perl module dependencies
+ than the other programs in this distribution.
+
+ A new configuration option, minimum_different, can be set to require
+ that passwords contain at least that many unique characters. This can
+ be used to reject long strings of identical characters or short
+ patterns, which may pass other checks but still be too easy to guess.
+
+ Update to rra-c-util 5.4:
+
+ * Fix portable/krb5.h build with a C++ compiler.
+ * Use Lancaster Consensus environment variables to control tests.
+ * Work around perltidy bug that leaves behind stray log files.
+
+ Update to C TAP Harness 3.0:
+
+ * Reopen standard input to /dev/null when running a test list.
+ * Don't leak extraneous file descriptors to tests.
+
+krb5-strength 2.2 (2013-12-16)
+
+ More complex character class requirements can be specified with the
+ configuration option require_classes. This option lists the character
+ classes the password must contain. These restrictions may be
+ qualified with password length ranges, allowing the requirements to
+ change with the length of the password. See README for more details
+ and the option syntax.
+
+ cdbmake-wordlist now supports filtering out words based on maximum
+ length (-L) and arbitrary user-provided regular expressions (-x). It
+ also supports running in filter mode to produce a new wordlist instead
+ of a CDB file (-o).
+
+ Close a file descriptor and memory leak in the included version of
+ CrackLib. This problem was already fixed in CrackLib 2.9.0.
+
+ Update to rra-c-util 4.12:
+
+ * Properly check the return status of snprintf and friends.
+
+ Update to C TAP Harness 2.3:
+
+ * Suppress lazy plans and test summaries if the test failed with bail.
+ * Add warn_unused_result gcc attributes to relevant functions.
+
+krb5-strength 2.1 (2013-10-10)
+
+ Fix the package build when CDB support is disabled or TinyCDB was not
+ found.
+
+ Some of the password rejection error messages have been changed to
+ make them more accurate or comprehensible to the user.
+
+ Passing --with-tinycdb to configure now correctly makes TinyCDB
+ support mandatory without adding bogus directories to the library and
+ include search paths.
+
+krb5-strength 2.0 (2013-10-07)
Add support for the MIT Kerberos password quality plugin interface,
available in MIT Kerberos 1.9 and later, contributed by Greg Hudson
letter (upper or lower case) or a space.
The plugin can now be configured without a dictionary, in which case
- only the simpler checks available through the new configuration
- variables are done. This mode is mostly useful for testing, since
- such simple checking can more easily be done via less complex password
- strength configurations.
+ only checks for a password based on the principal and the simpler
+ checks available through the new configuration variables are done.
+ This mode is mostly useful for testing, since such simple checking can
+ more easily be done via less complex password strength configurations.
+
+ The check for passwords based on the principal now check for passwords
+ formed by reversing or adding numbers before and after each separate
+ component of the principal. This will catch passwords based on the
+ realm or components of the realm, which will often catch passwords
+ based on the name of the local institution.
The plugin now sets the Kerberos error message in the context to pass
error information, resulting in higher-quality error reporting in the
projects / kerberos / krb5-strength.git / blobdiff