User-Visible krb5-strength Changes
-krb5-strength 2.0 (unreleased)
+krb5-strength 2.0 (2013-10-07)
Add support for the MIT Kerberos password quality plugin interface,
available in MIT Kerberos 1.9 and later, contributed by Greg Hudson
and MIT. Drop the patch for MIT Kerberos 1.4 (and hence support for
- versions of MIT Kerberos prior to 1.9).
+ versions of MIT Kerberos prior to 1.9). A dictionary path set in
+ krb5.conf takes precedence over the dictionary path provided by MIT
+ Kerberos when the plugin is initialized, if both are set, to allow the
+ dict_path configuration setting to be used for other plugins while
+ using a separate dictionary for krb5-strength.
The default installation path for this plugin is now
/usr/local/lib/krb5/plugins/pwqual/strength.so (for both MIT and
requires that passwords contain at least one character that is not a
letter (upper or lower case) or a space.
+ The plugin can now be configured without a dictionary, in which case
+ only checks for a password based on the principal and the simpler
+ checks available through the new configuration variables are done.
+ This mode is mostly useful for testing, since such simple checking can
+ more easily be done via less complex password strength configurations.
+
+ The check for passwords based on the principal now check for passwords
+ formed by reversing or adding numbers before and after each separate
+ component of the principal. This will catch passwords based on the
+ realm or components of the realm, which will often catch passwords
+ based on the name of the local institution.
+
The plugin now sets the Kerberos error message in the context to pass
error information, resulting in higher-quality error reporting in the
MIT Kerberos plugin.
projects / kerberos / krb5-strength.git / blobdiff