krb5-strength 3.0 released

Russ Allbery eagle at eyrie.org
Wed Mar 26 04:27:27 EDT 2014


I'm pleased to announce release 3.0 of krb5-strength.

krb5-strength provides a password quality plugin for the MIT Kerberos KDC
(specifically the kadmind server), an external password quality program
for use with Heimdal, and a per-principal password history implementation
for Heimdal.  Passwords can be tested with CrackLib, checked against a CDB
or SQLite database of known weak passwords with some transformations,
checked for length, checked for non-printable or non-ASCII characters that
may be difficult to enter reproducibly, required to contain particular
character classes, or any combination of these tests.  It supports both
Heimdal and MIT Kerberos (1.9 or later).

Changes from previous release:

    The krb5-strength plugin and heimdal-strength program now support a
    SQLite password dictionary.  This format of dictionary can detect any
    password within edit distance one of a dictionary word, meaning that
    the dictionary word can be formed by adding, removing, or changing a
    single character in the password.  A SQLite password dictionary can be
    used alone or in combination with any of the other supported
    dictionary types.  SQLite dictionary support is based on work by David
    Mazières.

    cdbmake-wordlist has been renamed to krb5-strength-wordlist.
    Generating CDB dictionaries now requires the -c option; see the
    documentation for more information.  A SQLite database of dictionary
    words can now be created instead, using the -s option.

    A password history implementation for Heimdal is now included.  This
    is a separate Perl program, heimdal-history, that stacks with the
    external program implementation of strength checking.  It is not
    available in the form of a plugin, only as a Heimdal external password
    quality check.  (MIT Kerberos provides its own password history
    mechanism.)  This program has more extensive Perl module dependencies
    than the other programs in this distribution.

    A new configuration option, minimum_different, can be set to require
    that passwords contain at least that many unique characters.  This can
    be used to reject long strings of identical characters or short
    patterns, which may pass other checks but still be too easy to guess.

    Update to rra-c-util 5.4:

    * Fix portable/krb5.h build with a C++ compiler.
    * Use Lancaster Consensus environment variables to control tests.
    * Work around perltidy bug that leaves behind stray log files.

    Update to C TAP Harness 3.0:

    * Reopen standard input to /dev/null when running a test list.
    * Don't leak extraneous file descriptors to tests.

You can download it from:

    <http://www.eyrie.org/~eagle/software/krb5-strength/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list