-
Notifications
You must be signed in to change notification settings - Fork 17
/
CHANGES
124 lines (83 loc) · 4.91 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
Significant changes between 2.0.2 and 2.0.3.
Added Cygwin support.
Added pkg-config file.
Changed enforce=users to support "chpasswd" PAM service in addition to
traditionally supported "passwd".
Significant changes between 2.0.1 and 2.0.2.
Improved pam_passwdqc's auto-generated policy descriptions further, so
that lines are wrapped at a more consistent length.
Added the libpasswdqc(3) manual page and links to it for all functions
documented in there.
Added scripts to support Continuous Integration on GitHub (included in
the git repository, but excluded from release tarballs).
Significant changes between 2.0.0 and 2.0.1.
Improved pam_passwdqc's auto-generated policy descriptions, which were
slightly misformatted since the introduction of i18n support in 1.4.0.
Now they not only look prettier, but also make it clearer that the
mentioned lengths are merely the minimums and not the recommended ones.
Updated Russian translation for consistency with the above and to cover
messages added in 1.9.0+.
Increased maximum size of randomly-generated passphrases to 136 bits.
This was already the limit in the underlying API, but the tools' limit
was set to 85. This increase is to allow for a wider variety of use
cases for the tools.
In the Makefile, use CPPFLAGS and LDFLAGS consistently to be friendlier
to packaging by distros.
Added this file CHANGES based on two latest release announcements, and
started to maintain it.
Significant changes between 1.9.0 and 2.0.0.
Introduce and use passwdqc_params_free(). This is a minor addition to
the libpasswdqc API related to the addition of external files support.
Significant changes between 1.5.0 and 1.9.0.
Added support for external wordlist, denylist, and binary filter. With
these, passwdqc can be configured to deny passwords and passphrases that
are based on lines of a tiny external text file (the "wordlist" option),
directly appear in a tiny external text file (the "denylist" option),
or/and directly appear in a maybe huge binary filter file (the "filter"
option). While usage of larger external text files is inefficient, the
binary filters are very efficient.
The binary filters can be created and otherwise managed with the newly
added pwqfilter(1) program. It can create a binary filter from a list
of plaintexts or from MD4 or NTLM hashes. The latter are supported in a
way that enables importing of HIBP (Pwned Passwords) database revisions
into passwdqc binary filters. pwqfilter works on arbitrary plain text
strings or hex-encoded hashes, and it can also be reused in lieu of
grep(1) for many purposes, even unrelated to passphrases and security.
Merged changes needed for building with Visual Studio on Windows. This
includes a refactoring of the random passphrase generator code to make
it shared between platforms.
Significant changes between 1.4.1 and 1.5.0.
Updated the included wordlist to avoid some inappropriate words in
randomly generated passphrases while not removing any words from the
"word-based" check, and also to have plenty of extra words for
subsequent removal of more words that might be considered inappropriate
from the initial 4096 that are used for randomly generated passphrases.
Most of the added words came from EFF Diceware, BIP-0039, and our own
processing of Project Gutenberg Australia books.
Significant changes between 1.4.0 and 1.4.1.
Set default for "max" to 72 (was 40). The previous setting was based on
a reading of RFC 1939, which in practice did not matter. The new one is
based on bcrypt's truncation at 72, which actually still matters.
Documented "similar" in pwqcheck(1) help message and manual page. This
is a setting that was supported before and documented for other passwdqc
components before, but was apparently erroneously omitted from here.
Significant changes between 1.3.2 and 1.4.0.
Implemented i18n support in pam_passwdqc, contributed by Oleg Solovyov,
Andrey Cherepanov, and Dmitry V. Levin. The i18n support is off by
default, it can be enabled if Linux-PAM is built using --enable-nls
configure option.
Implemented audit support in pam_passwdqc, contributed by Oleg Solovyov
and Dmitry V. Levin. The audit support is off by default, it can be
enabled if Linux-PAM is built using --enable-audit configure option.
Both of these optional new features had been introduced and are enabled
in ALT Linux distributions, so this version is effectively upstreaming
the changes from there.
Significant changes between 1.3.1 and 1.3.2.
Compatibility for building with newer versions of glibc, where we now
have to define _DEFAULT_SOURCE for our use of crypt(3). The problem was
identified and this change tested by Dmitry V. Levin.
Clarified in the man pages that /etc/passwdqc.conf is not read unless
this suggested file location is specified with the config= option.
Clarified the OpenBSD configuration example.
Escape the minus sign in the OpenBSD configuration example to make the
man page linter happy, patch by Jackson Doak via Unit 193.