krb5-strength 1.0 released

Russ Allbery rra at stanford.edu
Wed Feb 17 02:42:59 EST 2010 

I'm pleased to announce release 1.0 of krb5-strength.

krb5-strength provides mechanisms for checking the strength of Kerberos
passwords against an external dictionary when a user changes passwords in
a Kerberos KDC.  It is roughly equivalent to checking password strength
via CrackLib, except that it embeds a copy of Alec Muffett's CrackLib that
has been modified to perform slightly more strenuous tests.  It is usable
as-is with Heimdal.  With MIT Kerberos, it requires an included patch to
libkadm5srv to support a dynamically loaded password check module.

I was hoping to finish, for this release, an updated version of the patch
for MIT Kerberos based on extensive work by Marcus Watts, but I
unfortunately ran out of time.  Hopefully the next release.

Changes from previous release:

    Add heimdal-strength, a program that checks password strength using
    the protocol for a Heimdal external check program.

    The shared module now also exports the interface expected by Heimdal's
    dynamically loaded password strength checking API and can be used as a
    Heimdal kadmin plugin.

    Add a new plugin API for MIT Kerberos modelled after the plugin API
    used for other MIT Kerberos plugins.  Thanks to Marcus Watts for
    substantial research and contributions to the interface design.  This
    work is incomplete in this release, missing the corresponding patch to
    MIT Kerberos.

    Fixed the data format written by the included packer program to add
    enough nul bytes at the end of the data.  Previously, there was not
    enough trailing nul bytes for the expected input format, leading to
    uninitialized memory reads in the password lookup.

    Add a test suite using the driver and library from C TAP Harness 1.1.

    Add portability code for platforms without a working snprintf or other
    deficiencies and updated the code to take advantage of those
    guarantees.

You can download it from:

    <http://www.eyrie.org/~eagle/software/krb5-strength/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list