NAME¶
heimdal-history - Password history via Heimdal external strength checking
SYNOPSIS¶
heimdal-history [
-hmq] [
-b target-time] [
-d
database]
[
-S length-stats-db] [
-s strength-program]
[
principal]
DESCRIPTION¶
heimdal-history is an implementation of password history via the Heimdal
external password strength checking interface. It stores separate history for
each principal, hashed using Crypt::PBKDF2 with randomly-generated salt. (The
randomness is from a weak pseudorandom number generator, not strongly random.)
Password history is stored in a BerkeleyDB DB_HASH file. The key is the
principal. The value is a JSON array of objects, each of which has two keys.
"timestamp" contains the time when the history entry was added (in
POSIX seconds since UNIX epoch), and "hash" contains the hash of a
previously-used password in the Crypt::PBKDF2 LDAP-compatible format.
Passwords are hashed using PBKDF2 (from PKCS#5) with SHA-256 as the underlying
hash function using a number of rounds configured in this script. See
Crypt::PBKDF2 for more information.
heimdal-history also checks password strength before checking history. It
does so by invoking another program that also uses the Heimdal external
password strength checking interface. By default, it runs
/usr/bin/heimdal-strength. Only if that program approves the password
does it hash it and check history.
As with any implementation of the Heimdal external password strength checking
protocol,
heimdal-history expects, on standard input:
principal: <principal>
new-password: <password>
end
(with no leading whitespace). <principal> is the principal changing its
password (passed to the other password strength checking program but otherwise
unused here), and <password> is the new password. There must be exactly
one space after the colon. Any subsequent spaces are taken to be part of the
principal or password.
If invoked as root,
heimdal-history will run the external strength
checking program as user "nobody" and group "nogroup", and
will check and write to the history database as user "_history" and
group "_history". These users must exist on the system if it is run
as root.
The result of each password check will be logged to syslog (priority LOG_INFO,
facility LOG_AUTH). Each log line will be a set of key/value pairs in the
format "
key=
value". The keys are:
- action
- The action performed (currently always "check").
- principal
- The principal for which a password was checked.
- error
- An internal error message that did not stop the history check, but which
may indicate that something is wrong with the history database (such as
corrupted entries or invalid hashes). If this key is present, neither
"result" nor "reason" will be present. There will be a
subsequent log message from the same invocation giving the final result of
the history check (assuming heimdal-history doesn't exit with a
fatal error).
- result
- Either "accepted" or "rejected".
- reason
- If the password was rejected, the reason for the rejection.
The value will be surrounded with double quotes if it contains a double quote or
space. Any double quotes in the value will be doubled, so """
becomes "".
OPTIONS¶
- -b target-time, --benchmark=target-time
- Do not do a password history check. Instead, benchmark the hash algorithm
with various possible iteration counts and find an iteration count that
results in target-time seconds of computation time required to hash
a password (which should be a real number). A result will be considered
acceptable if it is within 0.005 seconds of the target time. The results
will be printed to standard output and then heimdal-history will
exit successfully.
- -d database, --database=database
- Use database as the history database file instead of the default (
/var/lib/heimdal-history/history.db). Primarily used for testing,
since Heimdal won't pass this argument.
- -h, --help
- Print a short usage message and exit.
- -m, --manual, --man
- Display this manual and exit.
- -q, --quiet
- Suppress logging to syslog and only return the results on standard output
and standard error. Primarily used for testing, since Heimdal won't pass
this argument.
- -S length-stats-db,
--stats=length-stats-db
- Use length-stats-db as the database file for password length
statistics instead of the default (
/var/lib/heimdal-history/lengths.db). Primarily used for testing,
since Heimdal won't pass this argument.
- -s strength-program,
--strength=strength-program
- Run strength-program as the external strength-checking program
instead of the default ( /usr/bin/heimdal-strength). Primarily used
for testing, since Heimdal won't pass this argument.
RETURN STATUS¶
On approval of the password,
heimdal-history will print
"APPROVED" and a newline to standard output and exit with status 0.
If the password is rejected by the strength checking program or if it (or a
version with a single character removed) matches one of the hashes stored in
the password history,
heimdal-history will print the reason for
rejection to standard error and exit with status 0.
On any internal error,
heimdal-history will print the error to standard
error and exit with a non-zero status.
FILES¶
- /usr/bin/heimdal-strength
- The default password strength checking program. This program must follow
the Heimdal external password strength checking API.
- /var/lib/heimdal-history/history.db
- The default database path. If heimdal-strength is run as root, this
file needs to be readable and writable by user "_history" and
group "_history". If it doesn't exist, it will be created with
mode 0600.
- /var/lib/heimdal-history/history.db.lock
- The lock file used to synchronize access to the history database. As with
the history database, if heimdal-strength is run as root, this file
needs to be readable and writable by user "_history" and group
"_history".
- /var/lib/heimdal-history/lengths.db
- The default length statistics path, which will be a BerkeleyDB DB_HASH
file of password lengths to counts of passwords with that length. If
heimdal-strength is run as root, this file needs to be readable and
writable by user "_history" and group "_history". If
it doesn't exist, it will be created with mode 0600.
- /var/lib/heimdal-history/lengths.db.lock
- The lock file used to synchronize access to the length statistics
database. As with the length statistics database, if
heimdal-strength is run as root, this file needs to be readable and
writable by user "_history" and group "_history".
AUTHOR¶
Russ Allbery <eagle@eyrie.org>
COPYRIGHT AND LICENSE¶
Copyright 2013, 2014 The Board of Trustees of the Leland Stanford Junior
University
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
SEE ALSO¶
Crypt::PBKDF2,
heimdal-strength(1)