OnWorks favicon

heimdal-history - Online in the Cloud

Run heimdal-history in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command heimdal-history that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator



heimdal-history - Password history via Heimdal external strength checking


heimdal-history [-hmq] [-b target-time] [-d database]
[-S length-stats-db] [-s strength-program] [principal]


heimdal-history is an implementation of password history via the Heimdal external password
strength checking interface. It stores separate history for each principal, hashed using
Crypt::PBKDF2 with randomly-generated salt. (The randomness is from a weak pseudorandom
number generator, not strongly random.)

Password history is stored in a BerkeleyDB DB_HASH file. The key is the principal. The
value is a JSON array of objects, each of which has two keys. "timestamp" contains the
time when the history entry was added (in POSIX seconds since UNIX epoch), and "hash"
contains the hash of a previously-used password in the Crypt::PBKDF2 LDAP-compatible
format. Passwords are hashed using PBKDF2 (from PKCS#5) with SHA-256 as the underlying
hash function using a number of rounds configured in this script. See Crypt::PBKDF2 for
more information.

heimdal-history also checks password strength before checking history. It does so by
invoking another program that also uses the Heimdal external password strength checking
interface. By default, it runs /usr/bin/heimdal-strength. Only if that program approves
the password does it hash it and check history.

As with any implementation of the Heimdal external password strength checking protocol,
heimdal-history expects, on standard input:

principal: <principal>
new-password: <password>

(with no leading whitespace). <principal> is the principal changing its password (passed
to the other password strength checking program but otherwise unused here), and <password>
is the new password. There must be exactly one space after the colon. Any subsequent
spaces are taken to be part of the principal or password.

If invoked as root, heimdal-history will run the external strength checking program as
user "nobody" and group "nogroup", and will check and write to the history database as
user "_history" and group "_history". These users must exist on the system if it is run
as root.

The result of each password check will be logged to syslog (priority LOG_INFO, facility
LOG_AUTH). Each log line will be a set of key/value pairs in the format "key=value". The
keys are:

The action performed (currently always "check").

The principal for which a password was checked.

An internal error message that did not stop the history check, but which may indicate
that something is wrong with the history database (such as corrupted entries or
invalid hashes). If this key is present, neither "result" nor "reason" will be
present. There will be a subsequent log message from the same invocation giving the
final result of the history check (assuming heimdal-history doesn't exit with a fatal

Either "accepted" or "rejected".

If the password was rejected, the reason for the rejection.

The value will be surrounded with double quotes if it contains a double quote or space.
Any double quotes in the value will be doubled, so """ becomes "".


-b target-time, --benchmark=target-time
Do not do a password history check. Instead, benchmark the hash algorithm with
various possible iteration counts and find an iteration count that results in target-
time seconds of computation time required to hash a password (which should be a real
number). A result will be considered acceptable if it is within 0.005 seconds of the
target time. The results will be printed to standard output and then heimdal-history
will exit successfully.

-d database, --database=database
Use database as the history database file instead of the default
(/var/lib/heimdal-history/history.db). Primarily used for testing, since Heimdal
won't pass this argument.

-h, --help
Print a short usage message and exit.

-m, --manual, --man
Display this manual and exit.

-q, --quiet
Suppress logging to syslog and only return the results on standard output and standard
error. Primarily used for testing, since Heimdal won't pass this argument.

-S length-stats-db, --stats=length-stats-db
Use length-stats-db as the database file for password length statistics instead of the
default (/var/lib/heimdal-history/lengths.db). Primarily used for testing, since
Heimdal won't pass this argument.

-s strength-program, --strength=strength-program
Run strength-program as the external strength-checking program instead of the default
(/usr/bin/heimdal-strength). Primarily used for testing, since Heimdal won't pass
this argument.


On approval of the password, heimdal-history will print "APPROVED" and a newline to
standard output and exit with status 0.

If the password is rejected by the strength checking program or if it (or a version with a
single character removed) matches one of the hashes stored in the password history,
heimdal-history will print the reason for rejection to standard error and exit with status

On any internal error, heimdal-history will print the error to standard error and exit
with a non-zero status.

Use heimdal-history online using onworks.net services

Free Servers & Workstations

Download Windows & Linux apps

  • 1
    Join us in Gitter!
    Enable the URPMS repository in your
    system -
    Download unitedrpms
  • 2
    Boost C++ Libraries
    Boost C++ Libraries
    Boost provides free portable
    peer-reviewed C++ libraries. The
    emphasis is on portable libraries which
    work well with the C++ Standard Library.
    See http://www.bo...
    Download Boost C++ Libraries
  • 3
    VirtualGL redirects 3D commands from a
    Unix/Linux OpenGL application onto a
    server-side GPU and converts the
    rendered 3D images into a video stream
    with which ...
    Download VirtualGL
  • 4
    Library to enable user space
    application programs to communicate with
    USB devices. Audience: Developers, End
    Users/Desktop. Programming Language: C.
    Download libusb
  • 5
    SWIG is a software development tool
    that connects programs written in C and
    C++ with a variety of high-level
    programming languages. SWIG is used with
    Download SWIG
  • 6
    WooCommerce Nextjs React Theme
    WooCommerce Nextjs React Theme
    React WooCommerce theme, built with
    Next JS, Webpack, Babel, Node, and
    Express, using GraphQL and Apollo
    Client. WooCommerce Store in React(
    contains: Products...
    Download WooCommerce Nextjs React Theme
  • 7
    Package repo for ArchLabs This is an
    application that can also be fetched
    It has been hosted in OnWorks in...
    Download archlabs_repo
  • More »

Linux commands