krb5-strength 2.2 released

Russ Allbery eagle at
Mon Dec 16 18:58:58 EST 2013

I'm pleased to announce release 2.2 of krb5-strength.

krb5-strength provides a password quality plugin for the MIT Kerberos KDC
(specifically the kadmind server) and an external password quality program
for use with the Heimdal kpasswdd server.  Passwords can be tested with
CrackLib, checked against a CDB database of known weak passwords, checked
for length, checked for non-printable or non-ASCII characters that may be
difficult to enter reproducibly, required to contain particular character
classes, or any combination of these tests.  It supports both Heimdal and
MIT Kerberos (1.9 or later).

Changes from previous release:

    More complex character class requirements can be specified with the
    configuration option require_classes.  This option lists the character
    classes the password must contain.  These restrictions may be
    qualified with password length ranges, allowing the requirements to
    change with the length of the password.  See README for more details
    and the option syntax.

    cdbmake-wordlist now supports filtering out words based on maximum
    length (-L) and arbitrary user-provided regular expressions (-x).  It
    also supports running in filter mode to produce a new wordlist instead
    of a CDB file (-o).

    Close a file descriptor and memory leak in the included version of
    CrackLib.  This problem was already fixed in CrackLib 2.9.0.

    Update to rra-c-util 4.12:

    * Properly check the return status of snprintf and friends.

    Update to C TAP Harness 2.3:

    * Suppress lazy plans and test summaries if the test failed with bail.
    * Add warn_unused_result gcc attributes to relevant functions.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (eagle at              <>

More information about the Kerberos mailing list