Russ Allbery [Tue, 1 Oct 2013 06:15:51 +0000 (23:15 -0700)]
Add support for checking against a CDB database
Add support for building with TinyCDB and then checking passwords
against a CDB database. There is a new password_dictionary_cdb
krb5.conf configuration setting that configures a CDB directory to
use. The tests with a CDB dictionary are much simpler: passwords are
rejected if found in the dictionary either literally, with one or two
characters removed from the start or end, or with one character
removed from both the start and the end. Both a CrackLib and a CDB
dictionary can be specified to check both dictionaries.
The plugin now sets the Kerberos error message in the context to pass
error information, resulting in higher-quality error reporting in the
MIT Kerberos plugin.
Load the configuration inside the plugin when we initialize it,
and pass in a Kerberos context to the plugin so that this is
possible. Obtain or pass in an existing Kerberos context in the
places where we weren't already doing so.
This loses some more detailed error reporting, particularly around
non-existent configured dictionaries, which will be restored later
by using the Kerberos error message.
Remove some reachable leaks, static data in cracklib, tests
Don't attempt an optimization where we keep the last block of
the dictionary in memory to answer questions, since each call
may use a different dictionary. Close the password dictionary
after each lookup (although this doesn't recover all of the
memory due to more static data elsewhere).
Free more memory at the end of the MIT plugin test.
Use standard CrackLib tools when not using embedded
When building with the system CrackLib, use the standard tools to
build the test dictionary instead of building the embedded code
just to use the packer.
Also use the tools to build the dictionary so that the word list
in the test suite doesn't have to be sorted.
Rewrite the MIT plugin test in pure C, using the generated C
data and calling the shell script to create the necessary krb5.conf
file. Check configuration both via the internal dictionary path
and via appdefaults.
Fix configuration and status codes in the MIT plugin
Modify the MIT plugin to support [appdefaults] configuration in
addition to the dictionary path configured in the KDC. Modify the
core code to return meaningful error codes instead of just 0 and 1,
adjust the Heimdal module accordingly to translate them into 0 and
1, and use that to allow the MIT code to return real error codes.
In order to support this, import more of the Kerberos portability
layer including new portability for kadmin headers.
Add a new Perl program to generate a C version of the password
test data from the JSON source, and run that program during
autogen so that we can ship the source in the distribution and
not require JSON support for the basic test suite. Add a new
shell script to generate the necessary krb5.conf file.
Rewrite the Heimdal plugin test in pure C, using the generated C
data and calling the shell script to create the necessary krb5.conf
file.
Externalize the passwords and expected results in a JSON file
and rewrite the test case in Perl, making it read the list of
test cases from that file. Add a stripped-down krb5.conf file
used by the test suite instead of trying to manipulate the system
krb5.conf file.
Import the util layer from rra-c-util, use for heimdal-strength
Rather than rolling our own versions of xmalloc, xstrdup, and die,
import the util layer and use the standard versions of those
functions. Also import the test suite.
We don't really care about portability for krb5_get_error_message
since we effectively will require that it exists, but may as well
use the same structure as other code. Add some other functions
that we're using (or should be using).
Add support for new MIT plugin interface, drop old patch
Add support for the MIT Kerberos password quality plugin interface,
available in MIT Kerberos 1.9 and later, contributed by Greg Hudson
and MIT. Drop the patch for MIT Kerberos 1.4 (and hence support for
versions of MIT Kerberos prior to 1.9).
Fix the path to the Heimdal password strength header
Expect the Heimdal password strength checking plugin header in
kadm5/kadm5-pwcheck.h instead of outside of the kadm5 directory. This
is the path used by current versions of Heimdal.
* Probe for Kerberos headers using file checks instead of compiles.
* Improve probe for the Heimdal libroken library.
* Always build with large file support.
* Conditionally call AM_PROG_AR for portability to new Autotools.
Update to C TAP Harness 2.2:
* Allow more easily running single programs under tests/runtests.
* Flush the output from the test harness after each test.
Make the simplicity check dependent on password length
CrackLib checks for passwords where a character is a simple increment
or decrement of the previous character. In previous versions, the
embedded version of CrackLib allowed at most four such occurrences in
the entire password. This results in false positives on long
passphrases, since such accidental letter relationships aren't
uncommon in human languages. Change the embedded CrackLib to allow
one such simple increment for every three characters in the password,
which tightens the check somewhat for shorter passwords and loosens it
considerably for longer passwords.
Russ Allbery [Fri, 11 May 2012 21:07:18 +0000 (14:07 -0700)]
Update to rra-c-util 4.4 and C TAP Harness 1.12
Update to rra-c-util 4.4:
* Use PATH_KRB5_CONFIG to override krb5-config location.
* Fix probing for ibm_svc/krb5_svc.h on AIX.
* Support Heimdal libraries without libroken, like OpenBSD.
* Fix manual Kerberos library probing without transitive dependencies.
* Support systems that only have krb5/krb5.h.
* Pass --deps to krb5-config in the non-reduced-dependencies case.
* Silence __attribute__ warnings on more compilers.
* Include strings.h where available for additional prototypes.
* Update warning flags for make warnings.
* Flesh out MAINTCLEANFILES to remove autogen results.
* Add notices to all files copied from rra-c-util.
Update to C TAP Harness 1.12:
* Drop is_double from the C TAP library to avoid requiring -lm.
* Avoid using local in the shell libtap.sh library.
* Silence __attribute__ warnings on more compilers.
* runtests now frees all allocated resources on exit.
* Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions.
* Fix runtests to still honor SOURCE and -s without BUILD and -b.
* Add tests/HOWTO documenting how to add new tests.
* More correct handling of system-specific errors in output checking.
* Ensure correct output ordering in test results.
* Add -h and a better usage message to tests/runtests.
* Add diag and sysdiag functions to the basic TAP library.
* Clean up data types in the basic C TAP library.
* Add the GCC nonnull attribute to the TAP library bail functions.
Russ Allbery [Fri, 11 May 2012 20:31:58 +0000 (13:31 -0700)]
Update test suite for new length restriction, new username check
Make the dictionary word we use to test longer now that we require
at least eight character passwords. Also update the whitespace
tests. Add tests for rejecting the username with digits appended.
Russ Allbery [Sun, 14 Mar 2010 23:42:34 +0000 (16:42 -0700)]
Use the correct variable sizes for int8/int16/int32 in CrackLib
Fix variable sizes in the embedded CrackLib on 64-bit platforms. This
may fix interoperability problems with databases created on platforms
with a different native integer size. Thanks, Karl Lehnberger and
Benj Carson.
Russ Allbery [Fri, 15 Jan 2010 07:20:14 +0000 (23:20 -0800)]
Update README, add documentation for Heimdal
Remove the beta notification for this software, since we've been running
it in production for a while. Explain more clearly how it compares to
just embedding CrackLib. Add configuration instructions for Heimdal and
details about the new external password quality check function.
Russ Allbery [Thu, 14 Jan 2010 21:25:16 +0000 (13:25 -0800)]
Allow for Heimdal passing the principal as argv[0] to external check
Current versions of Heimdal appear to pass the principal as the first
element of argv rather than passing the program name as the first element
and the principal as the first conventional argument. Allow for this in
the external check implementation.
Russ Allbery [Thu, 7 Jan 2010 04:50:08 +0000 (20:50 -0800)]
Add new plugin API for MIT Kerberos
Add a new plugin API for MIT Kerberos modelled after the plugin API
used for other MIT Kerberos plugins. Thanks to Marcus Watts for
substantial research and contributions to the interface design.
Russ Allbery [Thu, 10 Dec 2009 01:13:49 +0000 (17:13 -0800)]
Add a basic portability library
Add a basic portability library that ensures that functions like snprintf
and strlcpy are available, since I want to use them in the plugin code.
Synchronized with rra-c-util 2.1.
Russ Allbery [Thu, 19 Nov 2009 06:26:02 +0000 (22:26 -0800)]
Fixed the padding written by the packer utility
Fixed the data format written by the included packer program to add
enough nul bytes at the end of the data. Previously, there was not
enough trailing nul bytes for the expected input format, leading to
uninitialized memory reads in the password lookup.
Russ Allbery [Thu, 15 Oct 2009 03:01:51 +0000 (20:01 -0700)]
Update build system for current standards
Update the Autoconf requirement to 2.64 and the Automake requirement to
1.11. Enable optional silent rules and news file checking. Add my
normal warnings target. Use the m4 directory for Autoconf macros and
move supporting programs from tools to build-aux. Remove the increase
of warnings with gcc in favor of my normal make warnings approach.
Russ Allbery [Thu, 15 Oct 2009 03:00:57 +0000 (20:00 -0700)]
Clean up compiler warnings in the cracklib directory
This is more divergence from the original, which is somewhat annoying,
but it's nice to be able to build the whole package with the normal set
of warnings.
Russ Allbery [Wed, 14 Oct 2009 23:12:43 +0000 (16:12 -0700)]
Move licensing information to a separate LICENSE file
Rewrite the licensing information using the standard LICENSE file format
that I now use with my other packages. Include licensing information for
the Autotools files that are distributed with the package.
The check of the password against the principal checked against the
fully-qualified principal, which is not the usual problem.
Additionally check that the password doesn't match the principal with
the realm removed or the reverse of that (case-insensitive).
Russ Allbery [Fri, 23 Mar 2007 22:28:13 +0000 (22:28 +0000)]
* New upstream release with a different name.
- Many cleanups to the code and build system.
- Unnecessary differences from CrackLib removed.
- Some Debian CrackLib patches applied for robustness.
* Updated README.Debian with a better example kdc.conf entry.
* No longer install the packer binary. We can use the one from
cracklib-runtime.