> On 30 Jun 2016, at 16:53, Russ Allbery <ea...@eyrie.org> wrote:
> Toby Blake <t...@inf.ed.ac.uk> writes:
>> Hi Russ, when you say "the CrackLib code in there is suspect", do you
>> mean in the current krb5-strength? If so, can you provide details?
>> Suspect, to the extent that it should not be used? Should it be built
>> against a newer cracklib? Note that we're using it with MIT kerberos,
>> so hopefully this isn't off-topic for this list.
> The code quality of CrackLib (any version) has historically not been very
> good. I fixed a bunch of corruption bugs in the version embedded in
> krb5-strength compared to the (at the time) abandoned upstream. But since
> then someone else took over upstream development and found more bugs. I
> have mail somewhere in my inbox about them, but I haven't looked at them
> in any detail for security implications. (Since switching jobs, I haven't
> been doing much with Kerberos, and haven't had time to chase down a lot of
> things like that.)
Thanks Russ, this is all interesting to consider.
I'm definitely drifting off-topic now, but what we have found useful is
approaching the matter from different perspectives other than that purely of
password quality - e.g. using fail2ban/iptables/tcpwrappers to guard against
brute-force attacks and automated summaries telling our users when they have
authenticated, and from where - so they can spot potential anomalies.
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.