- krb5-strength 2.1
+ krb5-strength 2.2
(Kerberos password strength checking plugin)
Maintained by Russ Allbery <eagle@eyrie.org>
BLURB
krb5-strength provides a password quality plugin for the MIT Kerberos
- KDC (specifically the kadmind server) and an external password quality
- program for use with the Heimdal kpasswdd server. Passwords can be
- tested with CrackLib, checked against a CDB database of known weak
- passwords, checked for length, checked for non-printable or non-ASCII
- characters that may be difficult to enter reproducibly, required to
- contain particular character classes, or any combination of these tests.
- It supports both Heimdal and MIT Kerberos (1.9 or later).
+ KDC (specifically the kadmind server), an external password quality
+ program for use with Heimdal, and a password history implementation for
+ use with Heimdal. Passwords can be tested with CrackLib, checked
+ against a CDB database of known weak passwords, checked for length,
+ checked for non-printable or non-ASCII characters that may be difficult
+ to enter reproducibly, required to contain particular character classes,
+ or any combination of these tests. It supports both Heimdal and MIT
+ Kerberos (1.9 or later).
DESCRIPTION
behavior, at which point this package can likely wither away in favor of
much simpler plugins that link to the standard CrackLib library.
+ krb5-strength also includes a password history implementation for
+ Heimdal. This is separate from the password strength implementation but
+ can be stacked with it so that both strength and history checks are
+ performed. This history implementation is available only via the
+ Heimdal external password quality interface. MIT Kerberos includes its
+ own password history implementation.
+
REQUIREMENTS
For Heimdal, you may use either the external password quality check
bulky, often covered by murky copyrights, and easily locatable on the
Internet with a modicum of searching, none are included in this toolkit.
- To run the test suite, you will also need Perl 5.006 or later. The
- following additional Perl modules will be used by the test suite if
- present:
+ The password history program, heimdal-history, requires Perl 5.010 or
+ later plus the following CPAN modules:
+ DB_File::Lock
+ Crypt::PBKDF2
+ Getopt::Long::Descriptive
IPC::Run
JSON
+ Readonly
+
+ and their dependencies.
+
+ To run the test suite, you will need Perl 5.010 or later and the
+ dependencies of the heimdal-history program. The following additional
+ Perl modules will be used by the test suite if present:
+
Perl6::Slurp
Test::MinimumVersion
Test::Perl::Critic
file is located):
krb5-strength = {
- password_dictionary = /path/to/cracklib/dictionary
- password_dictionary_cdb = /path/to/cdb/dictionary.cdb
+ password_dictionary = /path/to/cracklib/dictionary
+ password_dictionary_cdb = /path/to/cdb/dictionary.cdb
+ password_dictionary_sqlite = /path/to/sqlite/dictionary.sqlite
}
- The first setting configures a CrackLib dictionary and the second a CDB
- dictionary. The provided path should be the full path to the dictionary
- files, omitting the trailing *.hwm, *.pwd, and *.pwi extensions for the
- CrackLib dictionary. You can use either or both settings. If you use
- both, CrackLib will be checked first, and then CDB. When checking a CDB
- database, the password, the password with the first character removed,
- the last character removed, the first and last characters removed, the
- first two characters removed, and the last two characters removed will
- all be checked against the dictionary.
+ The first setting configures a CrackLib dictionary, the second a CDB
+ dictionary, and the third a SQLite dictionary. The provided path should
+ be the full path to the dictionary files, omitting the trailing *.hwm,
+ *.pwd, and *.pwi extensions for the CrackLib dictionary. You can use
+ any combination of the three settings. If you use more than one,
+ CrackLib will be checked first, then CDB, and then SQLite as
+ appropriate.
+
+ When checking against a CDB database, the password, the password with
+ the first character removed, the last character removed, the first and
+ last characters removed, the first two characters removed, and the last
+ two characters removed will all be checked against the dictionary.
+
+ When checking a SQLite database, the password will be rejected if it is
+ within edit distance one of any word in the dictionary, meaning that the
+ database word can be formed from the password by deleting, adding, or
+ changing a single character.
Then, for the external password checking program, add a new section (or
modify the existing [password_quality] section) to look like the
pass the --check-library argument to kpasswdd specifying the library to
load.
+ Additional configuration is required to use the history implementation.
+ Ensure that its dependencies are installed, and then examine the local
+ configuration settings at the top of the heimdal-history program. By
+ default, it requires a _history user and _history group be present on
+ the system, and all history information will be read and written as that
+ user and group. It also requires a nobody user and nogroup group to be
+ present, and all strength checking will be done as that user and group.
+ It uses various files in /var/lib/heimdal-history to store history and
+ statistical information by default, so if using the defaults, create
+ that directory and ensure it is writable by the _history user.
+
+ Once that setup is done, change your [password_quality] configuration
+ to:
+
+ [password_quality]
+ policies = external-check
+ external_program = /usr/local/bin/heimdal-history
+
+ The heimdal-history program will automatically also run heimdal-strength
+ as well, looking for it in /usr/local/bin, /usr/bin, and /bin. Change
+ the PATH setting at the top of the script if you have different
+ requirements. You should continue to configure heimdal-strength as if
+ you were running it directly.
+
MIT Kerberos
To add this module to the list of password quality checks, add a section
[appdefaults] section:
krb5-strength = {
- password_dictionary = /path/to/cracklib/dictionary
- password_dictionary_cdb = /path/to/cdb/dictionary.cdb
+ password_dictionary = /path/to/cracklib/dictionary
+ password_dictionary_cdb = /path/to/cdb/dictionary.cdb
+ password_dictionary_sqlite = /path/to/sqlite/dictionary.sqlite
}
- The first setting configures a CrackLib dictionary and the second a CDB
- dictionary. The provided path should be the full path to the dictionary
- files, omitting the trailing *.hwm, *.pwd, and *.pwi extensions for the
- CrackLib dictionary. You can use either or both settings. If you use
- both, CrackLib will be checked first, and then CDB. When checking a CDB
- database, the password, the password with the first character removed,
- the last character removed, the first and last characters removed, the
- first two characters removed, and the last two characters removed will
- all be checked against the dictionary.
+ The first setting configures a CrackLib dictionary, the second a CDB
+ dictionary, and the third a SQLite dictionary. The provided path should
+ be the full path to the dictionary files, omitting the trailing *.hwm,
+ *.pwd, and *.pwi extensions for the CrackLib dictionary. You can use
+ any combination of the three settings. If you use more than one,
+ CrackLib will be checked first, then CDB, and then SQLite as
+ appropriate.
+
+ When checking against a CDB database, the password, the password with
+ the first character removed, the last character removed, the first and
+ last characters removed, the first two characters removed, and the last
+ two characters removed will all be checked against the dictionary.
+
+ When checking a SQLite database, the password will be rejected if it is
+ within edit distance one of any word in the dictionary, meaning that the
+ database word can be formed from the password by deleting, adding, or
+ changing a single character.
The second option is to use the normal dict_path setting. In the
[realms] section of your krb5.conf kdc.conf, under the appropriate realm
dictionary matching.
You can also mix and match these settings, by using dict_path for the
- CrackLib dictionary path and krb5.conf for the CDB dictionary path. If
- both settings are used, krb5.conf overrides the dict_path setting (so
- that dict_path can be used for other password quality modules). There
- is no way to specify a CDB dictionary via the dict_path setting.
+ CrackLib dictionary path and krb5.conf for the CDB or SQLite dictionary
+ paths. If both settings are used for the CrackLib path, krb5.conf
+ overrides the dict_path setting (so that dict_path can be used for other
+ password quality modules). There is no way to specify a CDB or SQLite
+ dictionary via the dict_path setting.
Other Settings
The following additional settings are supported in the [appdefaults]
section of krb5.conf when running under either Heimdal or MIT Kerberos.
+ minimum_different
+
+ If set to a numeric value, passwords with fewer than this number of
+ unique characters will be rejected. This can be used to reject, for
+ example, passwords that are long strings of the same character or
+ repetitions of small numbers of characters, which may be too easy to
+ guess.
+
minimum_length
If set to a numeric value, passwords with fewer than that number of