krb5-strength 3.3 released

Russ Allbery eagle at eyrie.org
Mon Dec 25 22:53:39 EST 2023 

I'm pleased to announce release 3.3 of krb5-strength.

krb5-strength provides a password quality plugin for the MIT Kerberos KDC
(specifically the kadmind server) and Heimdal KDC, an external password
quality program for use with Heimdal, and a per-principal password history
implementation for Heimdal.  Passwords can be tested with CrackLib,
checked against a CDB or SQLite database of known weak passwords with some
transformations, checked for length, checked for non-printable or
non-ASCII characters that may be difficult to enter reproducibly, required
to contain particular character classes, or any combination of these
tests.

Changes from previous release:

    heimdal-history now requires the Perl modules Const::Fast and
    JSON::MaybeXS instead of Readonly and JSON.

    Increase hash iterations for heimdal-history by about 10% to maintain
    the time required for a password hash at about 0.1 seconds on not
    horribly modern hardware.  This will affect newly-stored history
    entries but will not invalidate existing password history entries.

    Explicitly erase the copy of the password made in the Heimdal plugin
    before freeing memory.

    Add a spec file for building RPMs, contributed by Daria Phoebe
    Brashear.

    Update to rra-c-util 10.5:

    * Assume a working snprintf rather than supplying a replacement.
    * Fix detection of reallocarray on NetBSD.
    * Check that Kerberos header files were found during configure.
    * Use AS_ECHO in all Autoconf macros.
    * Always use lib32 or lib64 if it exists, even on Debian.
    * Fix rejection of unknown Clang warning flags.
    * Disable -Wreserved-identifier for Clang warning builds.

You can download it from:

    <https://www.eyrie.org/~eagle/software/krb5-strength/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list