krb5-strength 1.1 released

Russ Allbery rra at stanford.edu
Fri May 11 18:21:19 EDT 2012 

I'm pleased to announce release 1.1 of krb5-strength.

krb5-strength provides mechanisms for checking the strength of Kerberos
passwords against an external dictionary when a user changes passwords in
a Kerberos KDC.  It is roughly equivalent to checking password strength
via CrackLib, except that it embeds a copy of Alec Muffett's CrackLib that
has been modified to perform slightly more strenuous tests.  It is usable
as-is with Heimdal.  With MIT Kerberos, it requires an included patch to
libkadm5srv to support a dynamically loaded password check module.

Changes from previous release:

    Change the minimum password length in the embedded CrackLib to 8.

    Reject passwords formed from the username portion of the principal
    with digits appended.

    In the embedded CrackLib, also check for a duplicated dictionary word.

    Support linking with the system CrackLib instead of the embedded and
    stricter copy by passing --with-cracklib to configure.

    Fix variable sizes in the embedded CrackLib on 64-bit platforms.  This
    may fix interoperability problems with databases created on platforms
    with a different native integer size.  Thanks, Karl Lehnberger and
    Benj Carson.

    Stop using local in the test suite for portability to Solaris /bin/sh.

    Update to rra-c-util 4.4:

    * Use PATH_KRB5_CONFIG to override krb5-config location.
    * Fix probing for ibm_svc/krb5_svc.h on AIX.
    * Support Heimdal libraries without libroken, like OpenBSD.
    * Fix manual Kerberos library probing without transitive dependencies.
    * Support systems that only have krb5/krb5.h.
    * Pass --deps to krb5-config in the non-reduced-dependencies case.
    * Silence __attribute__ warnings on more compilers.
    * Update warning flags for make warnings.
    * Flesh out MAINTCLEANFILES to remove autogen results.
    * Add notices to all files copied from rra-c-util.

    Update to C TAP Harness 1.12:

    * Drop is_double from the C TAP library to avoid requiring -lm.
    * Avoid using local in the shell libtap.sh library.
    * Silence __attribute__ warnings on more compilers.
    * runtests now frees all allocated resources on exit.
    * Fix runtests to still honor SOURCE and -s without BUILD and -b.
    * Add tests/HOWTO documenting how to add new tests.
    * Ensure correct output ordering in test results.
    * Add -h and a better usage message to tests/runtests.

You can download it from:

    <http://www.eyrie.org/~eagle/software/krb5-strength/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Please let me know of any problems or feature requests not already listed
in the TODO file.  Next on my list to tackle is to work with the new MIT
Kerberos plugin framework so that the patch is no longer required.  (I
think this is mostly done already, but I need to double-check.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list