Provided by: krb5-strength_3.0-1_amd64 bug

NAME

       heimdal-history - Password history via Heimdal external strength checking

SYNOPSIS

       heimdal-history [-hmq] [-b target-time] [-d database]
           [-S length-stats-db] [-s strength-program] [principal]

DESCRIPTION

       heimdal-history is an implementation of password history via the Heimdal external password
       strength checking interface.  It stores separate history for each principal, hashed using
       Crypt::PBKDF2 with randomly-generated salt.  (The randomness is from a weak pseudorandom
       number generator, not strongly random.)

       Password history is stored in a BerkeleyDB DB_HASH file.  The key is the principal.  The
       value is a JSON array of objects, each of which has two keys.  "timestamp" contains the
       time when the history entry was added (in POSIX seconds since UNIX epoch), and "hash"
       contains the hash of a previously-used password in the Crypt::PBKDF2 LDAP-compatible
       format.  Passwords are hashed using PBKDF2 (from PKCS#5) with SHA-256 as the underlying
       hash function using a number of rounds configured in this script.  See Crypt::PBKDF2 for
       more information.

       heimdal-history also checks password strength before checking history.  It does so by
       invoking another program that also uses the Heimdal external password strength checking
       interface.  By default, it runs /usr/bin/heimdal-strength.  Only if that program approves
       the password does it hash it and check history.

       As with any implementation of the Heimdal external password strength checking protocol,
       heimdal-history expects, on standard input:

           principal: <principal>
           new-password: <password>
           end

       (with no leading whitespace).  <principal> is the principal changing its password (passed
       to the other password strength checking program but otherwise unused here), and <password>
       is the new password.  There must be exactly one space after the colon.  Any subsequent
       spaces are taken to be part of the principal or password.

       If invoked as root, heimdal-history will run the external strength checking program as
       user "nobody" and group "nogroup", and will check and write to the history database as
       user "_history" and group "_history".  These users must exist on the system if it is run
       as root.

       The result of each password check will be logged to syslog (priority LOG_INFO, facility
       LOG_AUTH).  Each log line will be a set of key/value pairs in the format "key=value".  The
       keys are:

       action
           The action performed (currently always "check").

       principal
           The principal for which a password was checked.

       error
           An internal error message that did not stop the history check, but which may indicate
           that something is wrong with the history database (such as corrupted entries or
           invalid hashes).  If this key is present, neither "result" nor "reason" will be
           present.  There will be a subsequent log message from the same invocation giving the
           final result of the history check (assuming heimdal-history doesn't exit with a fatal
           error).

       result
           Either "accepted" or "rejected".

       reason
           If the password was rejected, the reason for the rejection.

       The value will be surrounded with double quotes if it contains a double quote or space.
       Any double quotes in the value will be doubled, so """ becomes "".

OPTIONS

       -b target-time, --benchmark=target-time
           Do not do a password history check.  Instead, benchmark the hash algorithm with
           various possible iteration counts and find an iteration count that results in target-
           time seconds of computation time required to hash a password (which should be a real
           number).  A result will be considered acceptable if it is within 0.005 seconds of the
           target time.  The results will be printed to standard output and then heimdal-history
           will exit successfully.

       -d database, --database=database
           Use database as the history database file instead of the default
           (/var/lib/heimdal-history/history.db).  Primarily used for testing, since Heimdal
           won't pass this argument.

       -h, --help
           Print a short usage message and exit.

       -m, --manual, --man
           Display this manual and exit.

       -q, --quiet
           Suppress logging to syslog and only return the results on standard output and standard
           error.  Primarily used for testing, since Heimdal won't pass this argument.

       -S length-stats-db, --stats=length-stats-db
           Use length-stats-db as the database file for password length statistics instead of the
           default (/var/lib/heimdal-history/lengths.db).  Primarily used for testing, since
           Heimdal won't pass this argument.

       -s strength-program, --strength=strength-program
           Run strength-program as the external strength-checking program instead of the default
           (/usr/bin/heimdal-strength).  Primarily used for testing, since Heimdal won't pass
           this argument.

RETURN STATUS

       On approval of the password, heimdal-history will print "APPROVED" and a newline to
       standard output and exit with status 0.

       If the password is rejected by the strength checking program or if it (or a version with a
       single character removed) matches one of the hashes stored in the password history,
       heimdal-history will print the reason for rejection to standard error and exit with status
       0.

       On any internal error, heimdal-history will print the error to standard error and exit
       with a non-zero status.

FILES

       /usr/bin/heimdal-strength
           The default password strength checking program.  This program must follow the Heimdal
           external password strength checking API.

       /var/lib/heimdal-history/history.db
           The default database path.  If heimdal-strength is run as root, this file needs to be
           readable and writable by user "_history" and group "_history".  If it doesn't exist,
           it will be created with mode 0600.

       /var/lib/heimdal-history/history.db.lock
           The lock file used to synchronize access to the history database.  As with the history
           database, if heimdal-strength is run as root, this file needs to be readable and
           writable by user "_history" and group "_history".

       /var/lib/heimdal-history/lengths.db
           The default length statistics path, which will be a BerkeleyDB DB_HASH file of
           password lengths to counts of passwords with that length.  If heimdal-strength is run
           as root, this file needs to be readable and writable by user "_history" and group
           "_history".  If it doesn't exist, it will be created with mode 0600.

       /var/lib/heimdal-history/lengths.db.lock
           The lock file used to synchronize access to the length statistics database.  As with
           the length statistics database, if heimdal-strength is run as root, this file needs to
           be readable and writable by user "_history" and group "_history".

AUTHOR

       Russ Allbery <eagle@eyrie.org>

COPYRIGHT AND LICENSE

       Copyright 2013, 2014 The Board of Trustees of the Leland Stanford Junior University

       Permission is hereby granted, free of charge, to any person obtaining a copy of this
       software and associated documentation files (the "Software"), to deal in the Software
       without restriction, including without limitation the rights to use, copy, modify, merge,
       publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
       to whom the Software is furnished to do so, subject to the following conditions:

       The above copyright notice and this permission notice shall be included in all copies or
       substantial portions of the Software.

       THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
       INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
       PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
       FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
       OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
       DEALINGS IN THE SOFTWARE.

SEE ALSO

       Crypt::PBKDF2, heimdal-strength(1)