| < kftgt | Russ Allbery > Software | krb5-sync > |
krb5-strength is a toolkit for checking the strength of passwords against an external dictionary, applying more transforms and checks than kadmind supports by default. It is implemented as a patch to kadmind and a plugin module that is called on each password change. It embeds a slightly modified copy of Alec Muffett's CrackLib to do the password checking.
This is not a simple software package. It currently requires patching MIT Kerberos to allow use of plugins to check password strength, and you will separately have to obtain a word list and build a CrackLib dictionary from it.
This software was written by Derrick Brashear and Ken Hornstein of Sine Nomine Associates on behalf of Stanford University. I have since reorganized, updated, hacked, and otherwise modified it significantly. My long term goal is find a plugin API for kadmind that can be integrated into MIT Kerberos (and ideally Heimdal as well, although that's a lower priority) so that this package can provide only the loadable module.
To use this plugin, you will need to apply the patch in the patches directory to MIT Kerberos and rebuild. Due to how kadmind is constructed, the changes are actually in the libkadm5srv library, not in the kadmind binary, so you'll need to install the modified libraries.
For this module to be effective, you will also need to construct a dictionary. The mkdict and packer utilities to build a CrackLib dictionary from a word list are included in this toolkit but not installed by default. You can run them out of the cracklib directory after building. You can also use the utilities that come with the stock CrackLib package (often already packaged in a Linux distribution). You will need to find a word list to use as input to the dictionary construction utilities.
This software has only been tested on Linux. There's no inherent reason why it shouldn't work on other platforms that support dlopen, but I've not even tried to compile it elsewhere.
The distribution:
| krb5-strength 0.5 | 2007-07-19 | Download | PGP signature |
An archive of older releases is also available.
Documentation:
The packaging, plugin glue, and build system are covered by the following copyright and license:
Copyright 2006, 2007 Board of Trustees, Leland Stanford Jr. University. All rights reserved.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The version of CrackLib included here, and all modifications made to it as part of this toolkit, is covered by the Artistic License. For full license terms, see cracklib/LICENCE in the source distribution.
| < kftgt | Russ Allbery > Software | krb5-sync > |