Maintained by Russ Allbery <eagle@eyrie.org>
- Copyright 2006, 2007, 2009, 2010, 2012, 2013, 2014 The Board of Trustees
- of the Leland Stanford Junior University. Portions copyright 1993 Alec
+ Copyright 2006, 2007, 2009, 2010, 2012, 2013 The Board of Trustees of
+ the Leland Stanford Junior University. Portions copyright 1993 Alec
Muffett. Developed by Derrick Brashear and Ken Hornstein of Sine Nomine
Associates, on behalf of Stanford University. This software is
distributed under a BSD-style license and under the Artistic License.
file is located):
krb5-strength = {
- password_dictionary = /path/to/cracklib/dictionary
- password_dictionary_cdb = /path/to/cdb/dictionary.cdb
+ password_dictionary = /path/to/cracklib/dictionary
+ password_dictionary_cdb = /path/to/cdb/dictionary.cdb
+ password_dictionary_sqlite = /path/to/sqlite/dictionary.sqlite
}
- The first setting configures a CrackLib dictionary and the second a CDB
- dictionary. The provided path should be the full path to the dictionary
- files, omitting the trailing *.hwm, *.pwd, and *.pwi extensions for the
- CrackLib dictionary. You can use either or both settings. If you use
- both, CrackLib will be checked first, and then CDB. When checking a CDB
- database, the password, all printable ASCII passwords within edit
- distance one of the password, and the password with the first and last
- characters removed, the first two characters removed, and the last two
- characters removed will all be checked against the dictionary.
+ The first setting configures a CrackLib dictionary, the second a CDB
+ dictionary, and the third a SQLite dictionary. The provided path should
+ be the full path to the dictionary files, omitting the trailing *.hwm,
+ *.pwd, and *.pwi extensions for the CrackLib dictionary. You can use
+ any combination of the three settings. If you use more than one,
+ CrackLib will be checked first, then CDB, and then SQLite as
+ appropriate.
+
+ When checking against a CDB database, the password, the password with
+ the first character removed, the last character removed, the first and
+ last characters removed, the first two characters removed, and the last
+ two characters removed will all be checked against the dictionary.
+
+ When checking a SQLite database, the password will be rejected if it is
+ within edit distance one of any word in the dictionary, meaning that the
+ database word can be formed from the password by deleting, adding, or
+ changing a single character.
Then, for the external password checking program, add a new section (or
modify the existing [password_quality] section) to look like the
[appdefaults] section:
krb5-strength = {
- password_dictionary = /path/to/cracklib/dictionary
- password_dictionary_cdb = /path/to/cdb/dictionary.cdb
+ password_dictionary = /path/to/cracklib/dictionary
+ password_dictionary_cdb = /path/to/cdb/dictionary.cdb
+ password_dictionary_sqlite = /path/to/sqlite/dictionary.sqlite
}
- The first setting configures a CrackLib dictionary and the second a CDB
- dictionary. The provided path should be the full path to the dictionary
- files, omitting the trailing *.hwm, *.pwd, and *.pwi extensions for the
- CrackLib dictionary. You can use either or both settings. If you use
- both, CrackLib will be checked first, and then CDB. When checking a CDB
- database, the password, all printable ASCII passwords within edit
- distance one of the password, and the password with the first and last
- characters removed, the first two characters removed, and the last two
- characters removed will all be checked against the dictionary.
+ The first setting configures a CrackLib dictionary, the second a CDB
+ dictionary, and the third a SQLite dictionary. The provided path should
+ be the full path to the dictionary files, omitting the trailing *.hwm,
+ *.pwd, and *.pwi extensions for the CrackLib dictionary. You can use
+ any combination of the three settings. If you use more than one,
+ CrackLib will be checked first, then CDB, and then SQLite as
+ appropriate.
+
+ When checking against a CDB database, the password, the password with
+ the first character removed, the last character removed, the first and
+ last characters removed, the first two characters removed, and the last
+ two characters removed will all be checked against the dictionary.
+
+ When checking a SQLite database, the password will be rejected if it is
+ within edit distance one of any word in the dictionary, meaning that the
+ database word can be formed from the password by deleting, adding, or
+ changing a single character.
The second option is to use the normal dict_path setting. In the
[realms] section of your krb5.conf kdc.conf, under the appropriate realm
dictionary matching.
You can also mix and match these settings, by using dict_path for the
- CrackLib dictionary path and krb5.conf for the CDB dictionary path. If
- both settings are used, krb5.conf overrides the dict_path setting (so
- that dict_path can be used for other password quality modules). There
- is no way to specify a CDB dictionary via the dict_path setting.
+ CrackLib dictionary path and krb5.conf for the CDB or SQLite dictionary
+ paths. If both settings are used for the CrackLib path, krb5.conf
+ overrides the dict_path setting (so that dict_path can be used for other
+ password quality modules). There is no way to specify a CDB or SQLite
+ dictionary via the dict_path setting.
Other Settings
The following additional settings are supported in the [appdefaults]
section of krb5.conf when running under either Heimdal or MIT Kerberos.
+ minimum_different
+
+ If set to a numeric value, passwords with fewer than this number of
+ unique characters will be rejected. This can be used to reject, for
+ example, passwords that are long strings of the same character or
+ repetitions of small numbers of characters, which may be too easy to
+ guess.
+
minimum_length
If set to a numeric value, passwords with fewer than that number of
canonicalization or character set is defined for Kerberos passwords
in general, so you may want to reject non-ASCII characters to avoid
interoperability problems with computers with different default
- character sets or Unicode normalization forms. Also be aware that,
- when testing passwords within edit distance one against a CDB
- database, only characters in the printable ASCII character set will
- be attempted.
+ character sets or Unicode normalization forms.
require_classes
The krb5-strength package as a whole is covered by the following
copyright statement and license:
- Copyright 2006, 2007, 2009, 2010, 2012, 2013, 2014
+ Copyright 2006, 2007, 2009, 2010, 2012, 2013
The Board of Trustees of the Leland Stanford Junior University
Permission is hereby granted, free of charge, to any person obtaining
projects / kerberos / krb5-strength.git / blobdiff