- krb5-strength 2.2
+ krb5-strength 3.0
(Kerberos password strength checking plugin)
Maintained by Russ Allbery <eagle@eyrie.org>
- Copyright 2006, 2007, 2009, 2010, 2012, 2013 The Board of Trustees of
- the Leland Stanford Junior University. Portions copyright 1993 Alec
+ Copyright 2006, 2007, 2009, 2010, 2012, 2013, 2014 The Board of Trustees
+ of the Leland Stanford Junior University. Portions copyright 1993 Alec
Muffett. Developed by Derrick Brashear and Ken Hornstein of Sine Nomine
Associates, on behalf of Stanford University. This software is
distributed under a BSD-style license and under the Artistic License.
krb5-strength provides a password quality plugin for the MIT Kerberos
KDC (specifically the kadmind server), an external password quality
- program for use with Heimdal, and a password history implementation for
- use with Heimdal. Passwords can be tested with CrackLib, checked
- against a CDB database of known weak passwords, checked for length,
- checked for non-printable or non-ASCII characters that may be difficult
- to enter reproducibly, required to contain particular character classes,
- or any combination of these tests. It supports both Heimdal and MIT
- Kerberos (1.9 or later).
+ program for use with Heimdal, and a per-principal password history
+ implementation for Heimdal. Passwords can be tested with CrackLib,
+ checked against a CDB or SQLite database of known weak passwords with
+ some transformations, checked for length, checked for non-printable or
+ non-ASCII characters that may be difficult to enter reproducibly,
+ required to contain particular character classes, or any combination of
+ these tests. It supports both Heimdal and MIT Kerberos (1.9 or later).
DESCRIPTION
that only passes passwords that resist attacks from both Crack and Jack
the Ripper using the same rule sets. It also supports doing simpler
dictionary checks against a CDB database, which is fast with very large
- dictionaries, and imposing other programmatic checks on passwords such
- as character class requirements.
+ dictionaries, or a SQLite database, which can reject all passwords
+ within edit distance one of a dictionary word. It can also impose other
+ programmatic checks on passwords such as character class requirements.
For Heimdal, it includes both a program usable as an external password
quality check and a plugin that implements the dynamic module API. For
To run the test suite, you will need Perl 5.010 or later and the
dependencies of the heimdal-history program. The following additional
- Perl modules will be used by the test suite if present:
+ Perl modules will also be used by the test suite if present:
Perl6::Slurp
Test::MinimumVersion
Test::Spelling
Test::Strict
- All are available on CPAN. Those tests will be skipped if the modules
+ All are available on CPAN. Some tests will be skipped if the modules
are not available.
To enable tests that don't detect functionality problems but are used to
The following additional settings are supported in the [appdefaults]
section of krb5.conf when running under either Heimdal or MIT Kerberos.
+ cracklib_maxlen
+
+ Normally, all passwords are checked with CrackLib if a CrackLib
+ dictionary is defined. However, CrackLib's rules were designed for
+ a world in which most passwords were four to eight characters long,
+ and tends to spuriously reject a lot of passphrases. If this option
+ is set to something other than its default of 0, passwords longer
+ than that length bypass CrackLib checks. (Using a SQLite dictionary
+ for longer passwords is strongly recommended.)
+
minimum_different
If set to a numeric value, passwords with fewer than this number of
The krb5-strength web page at:
- http://www.eyrie.org/~eagle/software/krb5-strength/
+ https://www.eyrie.org/~eagle/software/krb5-strength/
will always have the current version of this package, the current
documentation, and pointers to any additional resources.
or view the repository via the web at:
- http://git.eyrie.org/?p=kerberos/krb5-strength.git
+ https://git.eyrie.org/?p=kerberos/krb5-strength.git
When contributing modifications, either patches (possibly generated by
git format-patch) or Git pull requests are welcome.
The krb5-strength package as a whole is covered by the following
copyright statement and license:
- Copyright 2006, 2007, 2009, 2010, 2012, 2013
+ Copyright 2006, 2007, 2009, 2010, 2012, 2013, 2014
The Board of Trustees of the Leland Stanford Junior University
Permission is hereby granted, free of charge, to any person obtaining