I'm pleased to announce release 1.0 of krb5-strength. krb5-strength provides mechanisms for checking the strength of Kerberos passwords against an external dictionary when a user changes passwords in a Kerberos KDC. It is roughly equivalent to checking password strength via CrackLib, except that it embeds a copy of Alec Muffett's CrackLib that has been modified to perform slightly more strenuous tests. It is usable as-is with Heimdal. With MIT Kerberos, it requires an included patch to libkadm5srv to support a dynamically loaded password check module.
I was hoping to finish, for this release, an updated version of the patch for MIT Kerberos based on extensive work by Marcus Watts, but I unfortunately ran out of time. Hopefully the next release. Changes from previous release: Add heimdal-strength, a program that checks password strength using the protocol for a Heimdal external check program. The shared module now also exports the interface expected by Heimdal's dynamically loaded password strength checking API and can be used as a Heimdal kadmin plugin. Add a new plugin API for MIT Kerberos modelled after the plugin API used for other MIT Kerberos plugins. Thanks to Marcus Watts for substantial research and contributions to the interface design. This work is incomplete in this release, missing the corresponding patch to MIT Kerberos. Fixed the data format written by the included packer program to add enough nul bytes at the end of the data. Previously, there was not enough trailing nul bytes for the expected input format, leading to uninitialized memory reads in the password lookup. Add a test suite using the driver and library from C TAP Harness 1.1. Add portability code for platforms without a working snprintf or other deficiencies and updated the code to take advantage of those guarantees. You can download it from: <http://www.eyrie.org/~eagle/software/krb5-strength/> This package is maintained using Git; see the instructions on the above page to access the Git repository. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos