password_pwncheck v1.1.2 releases: Kerberos/Windows AD/Linux PAM password change check against breached lists
password_pwncheck
Enterprise Password Quality Checking using any hash data sources (HaveIBeenPwned lists, et al)
The purpose of this project is to help companies maintain a stronger password policy without having to jump through too many hoops. Currently, we support NIST 800-63B features such as testing the password against a long minimum length (default of 15), not matching previous passwords (or similar entries), and most important- the password can’t belong to a breach list.
The project consists of two parts:
- A password server – This is currently a fairly simple and easy to extend python script that contains all the logic for testing passwords.
- A password plugin client – There is work in the pipe for a Windows Password Filter DLL, a Kerberos module, and a PAM module. This should satisfy most modern enterprise extensible password management solutions. If you find this doesn’t support you than feel free to code and request a pull into the main project.
Changelog v1.1.2
- Fixed Kerberos url encoding issue- previously we had no or poor url encoding of Kerberos requests. Now we properly escape characters.
- Built a better test harness for debug testing
- MAKE SURE NOT TO USE DEBUG VERSION PRODUCTIONALLY!!!
Download
git clone https://github.com/CboeSecurity/password_pwncheck.git
Password Server
- The password server needs to have downloaded password hash lists provided to it. These should sit in the
./db
folder. A great place to start for your breached passwords is [https://haveibeenpwned.com/Passwords], Thanks to Troy Hunt for all his efforts (he is in large part the inspiration behind this project). - Also, make sure you have a valid key/certificate chain. These two files should have their paths matched with the
SSLCertFile
andSSLKeyFile
variables. - The code is written in python 2.7. You should be able to run it via
python-2.7 ./pwned-password-server.py
AD Password filter DLL
- From a Dev Studio command line, run
resbuilder.bat
from its directory in the ad-password-pwncheck project - Build the solution, specifically the
ad_password_pwncheck
project. - Copy the resulting ad_password_pwncheck.dll into the
%windir%\system32
folder on all domain controllers in the domain. - Run
wevtutil im Resources.man /rf:"%windir%\system32\ad_password_pwncheck.dll" /mf:"%windir%\system32\ad_password_pwncheck.dll"
to properly register windows event logs - Run the included registry file to enable registry settings
Kerberos filter DLL
- Run the
./build.sh
too, make sure openssl-devel and curl-devel modules are loaded in your SLES/RedHat/Debian derived distribution. - Copy the
/lib/security/krb_password_pwncheck.so
library to the Kerberos plugins/pwqual folder. - Configure the krb5.conf to have the correct path:
Copyright (c) 2018 Cboe Global Markets Security / Jan Grzymala-Busse
Source: https://github.com/CboeSecurity/