krb5-strength 2.0 released
Russ Allbery
rra at stanford.edu
Tue Oct 8 01:28:30 EDT 2013
I'm pleased to announce release 2.0 of krb5-strength.
krb5-strength provides a password quality plugin for the MIT Kerberos KDC
(specifically the kadmind server) and an external password quality program
for use with the Heimdal kpasswdd server. Passwords can be tested with
CrackLib, checked against a CDB database of known weak passwords, checked
for length, checked for non-printable or non-ASCII characters that may be
difficult to enter reproducibly, required to contain a non-alphabetic
character, or any combination of these tests. It supports both Heimdal
and MIT Kerberos (1.9 or later).
Changes from previous release:
Add support for the MIT Kerberos password quality plugin interface,
available in MIT Kerberos 1.9 and later, contributed by Greg Hudson
and MIT. Drop the patch for MIT Kerberos 1.4 (and hence support for
versions of MIT Kerberos prior to 1.9). A dictionary path set in
krb5.conf takes precedence over the dictionary path provided by MIT
Kerberos when the plugin is initialized, if both are set, to allow the
dict_path configuration setting to be used for other plugins while
using a separate dictionary for krb5-strength.
The default installation path for this plugin is now
/usr/local/lib/krb5/plugins/pwqual/strength.so (for both MIT and
Heimdal), assuming a --libdir setting of /usr/local/lib. This may
require updates to the Kerberos KDC configuration or moving the plugin
when upgrading from earlier versions.
Add support for building with TinyCDB and then checking passwords
against a CDB database. There is a new password_dictionary_cdb
krb5.conf configuration setting that configures a CDB directory to
use. The tests with a CDB dictionary are much simpler: passwords are
rejected if found in the dictionary either literally, with one or two
characters removed from the start or end, or with one character
removed from both the start and the end. Both a CrackLib and a CDB
dictionary can be specified to check both dictionaries. A new
cdbmake-wordlist utility (written in Perl) is included to ease the
process of creating a CDB database from a simple word list.
A minimum password length can now be enforced directly via the plugin
or external check program without relying on CrackLib. To set a
minimum password length, add a minimum_length setting to the
krb5-strength section of [appdefaults] in krb5.conf.
New boolean settings require_ascii_printable and require_non_letter
are supported in the krb5-strength setting of [appdefaults] in
krb5.conf. The former rejects passwords containing characters other
than printable ASCII characters (including space), and the latter
requires that passwords contain at least one character that is not a
letter (upper or lower case) or a space.
The plugin can now be configured without a dictionary, in which case
only checks for a password based on the principal and the simpler
checks available through the new configuration variables are done.
This mode is mostly useful for testing, since such simple checking can
more easily be done via less complex password strength configurations.
The check for passwords based on the principal now check for passwords
formed by reversing or adding numbers before and after each separate
component of the principal. This will catch passwords based on the
realm or components of the realm, which will often catch passwords
based on the name of the local institution.
The plugin now sets the Kerberos error message in the context to pass
error information, resulting in higher-quality error reporting in the
MIT Kerberos plugin.
CrackLib checks for passwords where a character is a simple increment
or decrement of the previous character. In previous versions, the
embedded version of CrackLib allowed at most four such occurrences in
the entire password. This results in false positives on long
passphrases, since such accidental letter relationships aren't
uncommon in human languages. Change the embedded CrackLib to allow
one such simple increment for every three characters in the password,
which tightens the check somewhat for shorter passwords and loosens it
considerably for longer passwords.
Expect the Heimdal password strength checking plugin header in
kadm5/kadm5-pwcheck.h instead of outside of the kadm5 directory. This
is the path used by current versions of Heimdal. Drop support for
older versions of Heimdal that don't install this header file.
Update to rra-c-util 4.9:
* Probe for Kerberos headers using file checks instead of compiles.
* Improve probe for the Heimdal libroken library.
* Always build with large file support.
* Conditionally call AM_PROG_AR for portability to new Autotools.
Update to C TAP Harness 2.2:
* Allow more easily running single programs under tests/runtests.
* Flush the output from the test harness after each test.
You can download it from:
<http://www.eyrie.org/~eagle/software/krb5-strength/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list