X-Git-Url: https://git.eyrie.org/?a=blobdiff_plain;f=NEWS;h=5274ac01d601f34abe321a2b0dd5bbe1a8b61214;hb=73fb0839695dbc4a943af0f8236b16f5d82e8c8a;hp=bab435d4b84d0b1fdb377760464c3e2843ae9a5a;hpb=3c520ec00dbad057a2063a67a0708c03e2da45d1;p=kerberos%2Fkrb5-strength.git diff --git a/NEWS b/NEWS index bab435d..5274ac0 100644 --- a/NEWS +++ b/NEWS @@ -1,12 +1,344 @@ User-Visible krb5-strength Changes -krb5-strength 1.1 (unreleased) +krb5-strength 3.3 (unreleased) + + heimdal-history now requires the Perl modules Const::Fast and + JSON::MaybeXS instead of Readonly and JSON. + + Explicitly erase the copy of the password made in the Heimdal plugin. + + Update to rra-c-util 10.5: + + * Assume a working snprintf rather than supplying a replacement. + * Fix detection of reallocarray on NetBSD. + * Check that Kerberos header files were found during configure. + * Use AS_ECHO in all Autoconf macros. + * Always use lib32 or lib64 if it exists, even on Debian. + * Fix rejection of unknown Clang warning flags. + * Disable -Wreserved-identifier for Clang warning builds. + +krb5-strength 3.2 (2020-05-17) + + Add new -c (--check-only) option to heimdal-history to check whether a + password would be accepted without updating the history or password + length databases. Based on work by macrotex. + + Increase hash iterations for heimdal-history by roughly a factor of + four to increase the time required for a password hash to about 0.1 + seconds on modern hardware. This will affect newly-stored history + entries but will not invalidate existing password history entries. + + Support building without CrackLib support by passing + --without-cracklib to configure. This makes the code a bit simpler + and lighter if you don't intend to ever use the CrackLib support. + + krb5-strength-wordlist now requires Perl 5.010 or later. + + Use explicit_bzero instead of memset, where available, to overwrite + copies of passwords before freeing memory. This reduces the lifetime + of passwords in memory. + + Skip tests that require the stronger rule configuration in the + embedded CrackLib when built against system CrackLib. This avoids + test failures when built with system CrackLib. + + Rework the check-valgrind target to use the new C TAP Harness valgrind + support and automatically check the valgrind log files for errors at + the end of the test suite. + + Add SPDX-License-Identifier headers to all substantial source files + other than those in the bundled version of CrackLib. + + Update to rra-c-util 8.2: + + * Implement explicit_bzero with memset if it is not available. + * Reformat all C source using clang-format 10. + * Work around Test::Strict not skipping .git directories. + * Fix warnings with perltidy 20190601 and Perl::Critic 1.134. + * Improve check for obsolete strings. + * Use a more standard all-permissive license. + * Add SPDX-License-Identifier headers to all substantial source files. + * Skip more build system files when running the test suite. + * Fix warnings with Clang 10, GCC 10, and the Clang static analyzer. + * Exclude more valgrind false positives with Kerberos libraries. + * Improve support for AIX's bundled Kerberos. + + Update to C TAP Harness 4.7: + + * Fix warnings with GCC 10. + * Reformat all C source using clang-format 10. + * Fixed malloc error checking in bstrndup. + * Add support for valgrind testing via test list options. + * Report test failures as left and right, not wanted and seen. + * Fix is_string comparisons involving NULL pointers and "(null)". + * Add SPDX-License-Identifier headers to all substantial source files. + +krb5-strength 3.1 (2016-12-25) + + A new configuration option, cracklib_maxlen, can be set to skip + CrackLib checks of passwords longer than that length. The CrackLib + rules were designed in a world in which most passwords were four to + eight characters long and tend to spuriously reject longer passwords. + SQLite dictionaries work better for checking longer passwords and + passphrases. Patch from Jorj Bauer. + + The require_classes configuration option can now require a particular + number of character classes in the password (whatever those classes + are). Patch from Toby Blake. + + Change the error messages returned for passwords that fail strength + checking to start with a capital letter. This appears to be more + consistent with the error message conventions used inside Heimdal. + + Change the DB_File::Lock calling method in heimdal-history to work + properly with the (buggy) CPAN version of DB_File::Lock, instead of + relying on Debian's patched version. Thanks to Bernt Jernberg for the + report. + + Apply the SuSE patch for a buffer overflow when using duplicate rules + to the embedded CrackLib. No duplicating rules are used in the rule + set included with this package, and this package doesn't expose the + general API, so this was not exploitable, but best to close the latent + issue. (The other recent CrackLib vulnerability, CVE-2016-6318, + doesn't apply since all the GECOS manipulation code was removed from + the embedded CrackLib in this package.) + + Patch the mkdict and packer in the embedded copy of CrackLib to force + C locale when sorting (avoiding a corrupted dictionary) and warn and + skip out-of-order words rather than creating a corrupted dictionary. + Patch from Mark Sirota. + + Configuration instrutions are now in the heimdal-history and + heimdal-strength man pages and a new krb5-strength man page (which + documents configuration of the KDC plugin) instead of the README file + to make it more accessible after the software has been installed. + + Update to rra-c-util 6.2: + + * Use calloc in preference to malloc wherever appropriate. + * Use reallocarray in preference to realloc wherever appropriate. + * Suppress warnings from Kerberos headers under make warnings. + * Support the embedded Kerberos in Solaris 10 in library probes. + * Add missing va_end in xasprintf implementation. + * Fix logic in Test::RRA::Automake for new Automake dist checking. + * Fix all return-value checks for snprintf to avoid off-by-one error. + * Update warning flags for make warnings to GCC 6.1.0. + * Fix Test::RRA::Config for new "do" semantics in Perl 5.22.2. + * Add a new test for obsolete eyrie.org URLs. + * Require Test::Strict 0.25 or newer for Perl strictness checks. + + Update to C TAP Harness 4.1: + + * Replace all remaining uses of sprintf. + * Test lists may now have comments and blank lines. + * runtests -v will show the complete output from a test. + * Fix segfault in runtests when given an empty test list. + * Tests use C_TAP_SOURCE and C_TAP_BUILD instead of SOURCE and BUILD. + +krb5-strength 3.0 (2014-03-25) + + The krb5-strength plugin and heimdal-strength program now support a + SQLite password dictionary. This format of dictionary can detect any + password within edit distance one of a dictionary word, meaning that + the dictionary word can be formed by adding, removing, or changing a + single character in the password. A SQLite password dictionary can be + used alone or in combination with any of the other supported + dictionary types. SQLite dictionary support is based on work by David + Mazières. + + cdbmake-wordlist has been renamed to krb5-strength-wordlist. + Generating CDB dictionaries now requires the -c option; see the + documentation for more information. A SQLite database of dictionary + words can now be created instead, using the -s option. + + A password history implementation for Heimdal is now included. This + is a separate Perl program, heimdal-history, that stacks with the + external program implementation of strength checking. It is not + available in the form of a plugin, only as a Heimdal external password + quality check. (MIT Kerberos provides its own password history + mechanism.) This program has more extensive Perl module dependencies + than the other programs in this distribution. + + A new configuration option, minimum_different, can be set to require + that passwords contain at least that many unique characters. This can + be used to reject long strings of identical characters or short + patterns, which may pass other checks but still be too easy to guess. + + Update to rra-c-util 5.4: + + * Fix portable/krb5.h build with a C++ compiler. + * Use Lancaster Consensus environment variables to control tests. + * Work around perltidy bug that leaves behind stray log files. + + Update to C TAP Harness 3.0: + + * Reopen standard input to /dev/null when running a test list. + * Don't leak extraneous file descriptors to tests. + +krb5-strength 2.2 (2013-12-16) + + More complex character class requirements can be specified with the + configuration option require_classes. This option lists the character + classes the password must contain. These restrictions may be + qualified with password length ranges, allowing the requirements to + change with the length of the password. See README for more details + and the option syntax. + + cdbmake-wordlist now supports filtering out words based on maximum + length (-L) and arbitrary user-provided regular expressions (-x). It + also supports running in filter mode to produce a new wordlist instead + of a CDB file (-o). + + Close a file descriptor and memory leak in the included version of + CrackLib. This problem was already fixed in CrackLib 2.9.0. + + Update to rra-c-util 4.12: + + * Properly check the return status of snprintf and friends. + + Update to C TAP Harness 2.3: + + * Suppress lazy plans and test summaries if the test failed with bail. + * Add warn_unused_result gcc attributes to relevant functions. + +krb5-strength 2.1 (2013-10-10) + + Fix the package build when CDB support is disabled or TinyCDB was not + found. + + Some of the password rejection error messages have been changed to + make them more accurate or comprehensible to the user. + + Passing --with-tinycdb to configure now correctly makes TinyCDB + support mandatory without adding bogus directories to the library and + include search paths. + +krb5-strength 2.0 (2013-10-07) + + Add support for the MIT Kerberos password quality plugin interface, + available in MIT Kerberos 1.9 and later, contributed by Greg Hudson + and MIT. Drop the patch for MIT Kerberos 1.4 (and hence support for + versions of MIT Kerberos prior to 1.9). A dictionary path set in + krb5.conf takes precedence over the dictionary path provided by MIT + Kerberos when the plugin is initialized, if both are set, to allow the + dict_path configuration setting to be used for other plugins while + using a separate dictionary for krb5-strength. + + The default installation path for this plugin is now + /usr/local/lib/krb5/plugins/pwqual/strength.so (for both MIT and + Heimdal), assuming a --libdir setting of /usr/local/lib. This may + require updates to the Kerberos KDC configuration or moving the plugin + when upgrading from earlier versions. + + Add support for building with TinyCDB and then checking passwords + against a CDB database. There is a new password_dictionary_cdb + krb5.conf configuration setting that configures a CDB directory to + use. The tests with a CDB dictionary are much simpler: passwords are + rejected if found in the dictionary either literally, with one or two + characters removed from the start or end, or with one character + removed from both the start and the end. Both a CrackLib and a CDB + dictionary can be specified to check both dictionaries. A new + cdbmake-wordlist utility (written in Perl) is included to ease the + process of creating a CDB database from a simple word list. + + A minimum password length can now be enforced directly via the plugin + or external check program without relying on CrackLib. To set a + minimum password length, add a minimum_length setting to the + krb5-strength section of [appdefaults] in krb5.conf. + + New boolean settings require_ascii_printable and require_non_letter + are supported in the krb5-strength setting of [appdefaults] in + krb5.conf. The former rejects passwords containing characters other + than printable ASCII characters (including space), and the latter + requires that passwords contain at least one character that is not a + letter (upper or lower case) or a space. + + The plugin can now be configured without a dictionary, in which case + only checks for a password based on the principal and the simpler + checks available through the new configuration variables are done. + This mode is mostly useful for testing, since such simple checking can + more easily be done via less complex password strength configurations. + + The check for passwords based on the principal now check for passwords + formed by reversing or adding numbers before and after each separate + component of the principal. This will catch passwords based on the + realm or components of the realm, which will often catch passwords + based on the name of the local institution. + + The plugin now sets the Kerberos error message in the context to pass + error information, resulting in higher-quality error reporting in the + MIT Kerberos plugin. + + CrackLib checks for passwords where a character is a simple increment + or decrement of the previous character. In previous versions, the + embedded version of CrackLib allowed at most four such occurrences in + the entire password. This results in false positives on long + passphrases, since such accidental letter relationships aren't + uncommon in human languages. Change the embedded CrackLib to allow + one such simple increment for every three characters in the password, + which tightens the check somewhat for shorter passwords and loosens it + considerably for longer passwords. + + Expect the Heimdal password strength checking plugin header in + kadm5/kadm5-pwcheck.h instead of outside of the kadm5 directory. This + is the path used by current versions of Heimdal. Drop support for + older versions of Heimdal that don't install this header file. + + Update to rra-c-util 4.9: + + * Probe for Kerberos headers using file checks instead of compiles. + * Improve probe for the Heimdal libroken library. + * Always build with large file support. + * Conditionally call AM_PROG_AR for portability to new Autotools. + + Update to C TAP Harness 2.2: + + * Allow more easily running single programs under tests/runtests. + * Flush the output from the test harness after each test. + +krb5-strength 1.1 (2012-05-11) + + Change the minimum password length in the embedded CrackLib to 8. + + Reject passwords formed from the username portion of the principal + with digits appended. + + In the embedded CrackLib, also check for a duplicated dictionary word. + + Support linking with the system CrackLib instead of the embedded and + stricter copy by passing --with-cracklib to configure. Fix variable sizes in the embedded CrackLib on 64-bit platforms. This may fix interoperability problems with databases created on platforms with a different native integer size. Thanks, Karl Lehnberger and Benj Carson. + Stop using local in the test suite for portability to Solaris /bin/sh. + + Update to rra-c-util 4.4: + + * Use PATH_KRB5_CONFIG to override krb5-config location. + * Fix probing for ibm_svc/krb5_svc.h on AIX. + * Support Heimdal libraries without libroken, like OpenBSD. + * Fix manual Kerberos library probing without transitive dependencies. + * Support systems that only have krb5/krb5.h. + * Pass --deps to krb5-config in the non-reduced-dependencies case. + * Silence __attribute__ warnings on more compilers. + * Update warning flags for make warnings. + * Flesh out MAINTCLEANFILES to remove autogen results. + * Add notices to all files copied from rra-c-util. + + Update to C TAP Harness 1.12: + + * Drop is_double from the C TAP library to avoid requiring -lm. + * Avoid using local in the shell libtap.sh library. + * Silence __attribute__ warnings on more compilers. + * runtests now frees all allocated resources on exit. + * Fix runtests to still honor SOURCE and -s without BUILD and -b. + * Add tests/HOWTO documenting how to add new tests. + * Ensure correct output ordering in test results. + * Add -h and a better usage message to tests/runtests. + krb5-strength 1.0 (2010-02-16) Add heimdal-strength, a program that checks password strength using