Russ Allbery [Thu, 27 Feb 2014 06:22:48 +0000 (22:22 -0800)]
Fix the -s flag to heimdal-history (alternate quality checker)
heimdal-history claimed to support an -s option that specified a
different path to the quality check program to run, but it didn't
actually work. Add support for it.
Russ Allbery [Thu, 27 Feb 2014 04:04:54 +0000 (20:04 -0800)]
Skip Perl strictness testing if module prereqs are missing
Modify the standard Perl strictness test, which also checks Perl
scripts for syntax errors, to support a list of prerequisite
modules. Skip the test if any of those modules can't be loaded,
since they'll otherwise cause failures. This makes the testing
more robust given that we have some scripts that require a bunch
of Perl modules not needed by the main package.
Russ Allbery [Thu, 27 Feb 2014 02:52:21 +0000 (18:52 -0800)]
Add minimum_different configuration option
A new configuration option, minimum_different, can be set to require
that passwords contain at least that many unique characters. This can
be used to reject long strings of identical characters or short
patterns, which may pass other checks but still be too easy to guess.
Russ Allbery [Wed, 26 Feb 2014 23:15:10 +0000 (15:15 -0800)]
Revert "Fix edit distance checking and add a test suite"
This reverts commit feb69b10461b4dca5d439ace7aaf58640000d8bd.
This is too slow to be usable. We will be adding an new password
dictionary back-end that will do this check.
Russ Allbery [Wed, 12 Feb 2014 04:33:38 +0000 (20:33 -0800)]
Fix edit distance checking and add a test suite
Several errors in the previous implementation caused edit distance
checking to not work properly. Actually iterate through the
possible characters correctly.
Russ Allbery [Fri, 7 Feb 2014 23:44:44 +0000 (15:44 -0800)]
In CDB checks, check all passwords within edit distance one
When checking a password against a CDB dictionary, the dictionary will
be checked for all printable ASCII passwords within edit distance one,
in addition to checking the password with first and last characters,
first two characters, and last two characters removed.
Russ Allbery [Fri, 7 Feb 2014 22:25:20 +0000 (14:25 -0800)]
Add hash benchmarking support to heimdal-history
Add an option to benchmark the hash function and find an interation
count that takes a particular amount of time. Adjust the default
iteration count to match benchmarking done on relatively recent
hardware.
Russ Allbery [Wed, 5 Feb 2014 01:30:39 +0000 (17:30 -0800)]
Add password history implementation for Heimdal
A password history implementation for Heimdal is now included. This
is a separate Perl program, heimdal-history, that stacks with the
external program implementation of strength checking. It is not
available in the form of a plugin, only as a Heimdal external password
quality check. (MIT Kerberos provides its own password history
mechanism.) This program has more extensive Perl module dependencies
than the other programs in this distribution.
Russ Allbery [Fri, 13 Dec 2013 01:34:28 +0000 (17:34 -0800)]
Use Perl6::Slurp instead of File::Slurp
One utility was using Perl6::Slurp and another was using
File::Slurp. Perl6::Slurp is nicer, so just use that, and
update the documentation. Also document the bootstrap
requirements imposed by make-c-data.
Russ Allbery [Fri, 13 Dec 2013 01:28:09 +0000 (17:28 -0800)]
Update README with more details about new checking rules
The description section didn't mention the non-CrackLib capabilities,
and README never spelled out how CDB dictionaries were checked.
Fix both of those oversights.
Russ Allbery [Fri, 13 Dec 2013 01:22:39 +0000 (17:22 -0800)]
Flesh out heimdal-strength documentation
Add full documentation for the supported krb5.conf configuration
options to the heimdal-strength POD documentation. Also slightly
update the BLURB section of README.
Russ Allbery [Fri, 13 Dec 2013 01:08:46 +0000 (17:08 -0800)]
Add class requirement documentation and length ranges
Add support for qualifying a character class restriction with the
range of lengths of password to which it applies. Add documentation
and a NEWS entry for the new configuration.
Russ Allbery [Fri, 13 Dec 2013 00:25:03 +0000 (16:25 -0800)]
Fix various character class check mistakes, add test suite
This is the first working version of the character class checking,
which is now plugged into the module initialization. It also adds
a test suite for the external password check utility, although not
the embedded modules yet.
Russ Allbery [Thu, 12 Dec 2013 06:01:49 +0000 (22:01 -0800)]
Rename the class test set to letter
Next is to add support for full character class rules, which will
reuse a similar name, so move the simplistic character class rules
to the name letter.json.
Russ Allbery [Mon, 4 Nov 2013 21:16:54 +0000 (13:16 -0800)]
Add wordlist filter mode to cdbmake-wordlist
Add a new -o (--output) option that applies any configured filtering
and writes out a new wordlist file instead of creating a CDB file.
Refactor the script to avoid adding too much complexity with this
feature.
Russ Allbery [Mon, 4 Nov 2013 19:16:56 +0000 (11:16 -0800)]
Support filtering wordlists by regex in cdbmake-wordlist
Add a new option, -x or --exclude, that excludes words from the
resulting CDB database by regular expression. This option may
be given repeatedly to filter out multiple regular expressions.
Russ Allbery [Tue, 8 Oct 2013 19:10:55 +0000 (12:10 -0700)]
Update some of the password rejection error messages
Refer to "list of common passwords" when rejecting passwords due
to presence in a CDB dictionary, and say that passwords based on
the principal are based on "username or principal" to be more
technically accurate.
Russ Allbery [Tue, 8 Oct 2013 18:32:52 +0000 (11:32 -0700)]
Fix compilation without TinyCDB
The build without TinyCDB support was apparently not retested
after some refactoring, so some functions had the wrong signatures
or were not properly prototyped.
Russ Allbery [Mon, 7 Oct 2013 19:40:13 +0000 (12:40 -0700)]
Fix distribution contents for the release
It's been a while and a lot of changes, so there were various
places where the contents of the distribution as defined by
Makefile.am were out of date.
Russ Allbery [Mon, 7 Oct 2013 19:46:33 +0000 (12:46 -0700)]
Adjust the test suite for being run with a weird umask
If the test suite is run with a read-only source distribution, we
create files that aren't writable and then various things go awry.
Force permissions in a few key places to correct the problem.
Russ Allbery [Thu, 3 Oct 2013 04:05:56 +0000 (21:05 -0700)]
Add additional checks for passwords based on principals
The check for passwords based on the principal now check for passwords
formed by reversing or adding numbers before and after each separate
component of the principal. This will catch passwords based on the
realm or components of the realm, which will often catch passwords
based on the name of the local institution.
Russ Allbery [Thu, 3 Oct 2013 02:53:29 +0000 (19:53 -0700)]
Refactor checking for passwords based on principals
Move this code into a separate file in preparation for expanding
the nature of the checks, and following the general principal of
putting each type of check in a separate file.
Russ Allbery [Thu, 3 Oct 2013 02:40:58 +0000 (19:40 -0700)]
Clean up and refactor configuration handling
Each "module" (CDB and CrackLib) now handles its own configuration
and setup, and the internal APIs are more straightforward and
simpler.
The plugin can now be configured without a dictionary, in which case
only the simpler checks available through the new configuration
variables are done. This mode is mostly useful for testing, since
such simple checking can more easily be done via less complex password
strength configurations.
Russ Allbery [Thu, 3 Oct 2013 01:55:51 +0000 (18:55 -0700)]
Separate Kerberos configuration handling into a separate file
Provide a cleaner interface and hard-code the section values to
reduce the number of required arguments. Factor out the realm
handling and properly free the default realms, avoiding memory
leaks.
Russ Allbery [Wed, 2 Oct 2013 06:33:20 +0000 (23:33 -0700)]
Refactor error handling inside the plugin
Add a set of generic functions for setting the error message in
the Kerberos context, move some of the error message strings out
where they can be easily manipulated, and use a similar error
message for CDB matches as the other password error messages.
Russ Allbery [Wed, 2 Oct 2013 05:27:47 +0000 (22:27 -0700)]
Clean up error handling in the Heimdal plugin
Move the code to convert the Kerberos error to an error string
into a separate function and use that to simplify the error
reporting. Remove an unnecessary prefix to the error for
initializing the password strength checking.
Russ Allbery [Wed, 2 Oct 2013 05:02:33 +0000 (22:02 -0700)]
Change the default plugin install path and name
The default installation path for this plugin is now
/usr/local/lib/krb5/plugins/pwqual/strength.so (for both MIT and
Heimdal), assuming a --libdir setting of /usr/local/lib. This may
require updates to the Kerberos KDC configuration or moving the plugin
when upgrading from earlier versions.
Russ Allbery [Wed, 2 Oct 2013 04:44:40 +0000 (21:44 -0700)]
Fix Heimdal pwcheck header probing
The configure probe was never going to work properly. Fix that by
adding the correct includes. Drop the fallback for versions of
Heimdal without the include file installed, which is not required
for Debian squeeze and later.
Russ Allbery [Wed, 2 Oct 2013 04:09:29 +0000 (21:09 -0700)]
Rename plugin/api.h to plugin/internal.h
This no longer defines the default API, since that is now an
internal implementation detail. Rename the header file to match
the sort of thing I do with other projects.
Russ Allbery [Wed, 2 Oct 2013 03:51:55 +0000 (20:51 -0700)]
Add configurable checks for ASCII and for non-letters
New boolean settings require_ascii_printable and require_non_letter
are supported in the krb5-strength setting of [appdefaults] in
krb5.conf. The former rejects passwords containing characters other
than printable ASCII characters (including space), and the latter
requires that passwords contain at least one character that is not a
letter (upper or lower case) or a space.
Russ Allbery [Wed, 2 Oct 2013 03:43:41 +0000 (20:43 -0700)]
Support UTF-8 data in password test cases
In make-c-data, when generating C source from the JSON data,
properly encode UTF-8 strings. This still requires a C compiler
that can handle raw UTF-8 input, but hopefully that won't be a
serious portability issue.
Russ Allbery [Wed, 2 Oct 2013 00:55:30 +0000 (17:55 -0700)]
Add support for enforcing a minimum password length
This is configured using the minimum_length setting in krb5.conf
in the krb5-strength section of [appdefaults]. This length check
is independent of CrackLib's checks.
Russ Allbery [Tue, 1 Oct 2013 22:03:03 +0000 (15:03 -0700)]
Separate generic tests from CrackLib tests
Move the generic password tests into a separate file so that
they can be run independent from the CrackLib tests, and run
them for both CrackLib and CDB configurations.
Russ Allbery [Tue, 1 Oct 2013 21:21:09 +0000 (14:21 -0700)]
Move password test data into a subdirectory
The number of files is only going to grow, so move it into a
subdirectory and use a loop in autogen to generate C versions of
every file to make it easier to add new blocks of test data.
Russ Allbery [Tue, 1 Oct 2013 21:07:11 +0000 (14:07 -0700)]
Add Perl testing from rra-c-util
Delete the old, simple POD tests that only looked at the docs for
heimdal-strength and add full POD and Perl testing using the
generic tests from rra-c-util.
Russ Allbery [Tue, 1 Oct 2013 06:15:51 +0000 (23:15 -0700)]
Add support for checking against a CDB database
Add support for building with TinyCDB and then checking passwords
against a CDB database. There is a new password_dictionary_cdb
krb5.conf configuration setting that configures a CDB directory to
use. The tests with a CDB dictionary are much simpler: passwords are
rejected if found in the dictionary either literally, with one or two
characters removed from the start or end, or with one character
removed from both the start and the end. Both a CrackLib and a CDB
dictionary can be specified to check both dictionaries.