User-Visible krb5-strength Changes
-krb5-strength 3.2 (unreleased)
+krb5-strength 3.2 (2020-05-17)
+
+ Add new -c (--check-only) option to heimdal-history to check whether a
+ password would be accepted without updating the history or password
+ length databases. Based on work by macrotex.
+
+ Increase hash iterations for heimdal-history by roughly a factor of
+ four to increase the time required for a password hash to about 0.1
+ seconds on modern hardware. This will affect newly-stored history
+ entries but will not invalidate existing password history entries.
Support building without CrackLib support by passing
--without-cracklib to configure. This makes the code a bit simpler
and lighter if you don't intend to ever use the CrackLib support.
+ krb5-strength-wordlist now requires Perl 5.010 or later.
+
Use explicit_bzero instead of memset, where available, to overwrite
copies of passwords before freeing memory. This reduces the lifetime
of passwords in memory.
+ Skip tests that require the stronger rule configuration in the
+ embedded CrackLib when built against system CrackLib. This avoids
+ test failures when built with system CrackLib.
+
Rework the check-valgrind target to use the new C TAP Harness valgrind
support and automatically check the valgrind log files for errors at
the end of the test suite.
* Skip more build system files when running the test suite.
* Fix warnings with Clang 10, GCC 10, and the Clang static analyzer.
* Exclude more valgrind false positives with Kerberos libraries.
+ * Improve support for AIX's bundled Kerberos.
Update to C TAP Harness 4.7: