(heimdal.info.gz) Password changing
Info Catalog
(heimdal.info.gz) Remote administration
(heimdal.info.gz) Setting up a realm
(heimdal.info.gz) Testing clients and servers
4.8 Password changing
=====================
To allow users to change their passwords, you should run `kpasswdd'.
It is not run from `inetd'.
You might need to add `kpasswd' to your `/etc/services' as `464/udp'.
4.8.1 Password quality assurance
--------------------------------
It is important that users have good passwords, both to make it harder
to guess them and to avoid off-line attacks (although
pre-authentication provides some defence against off-line attacks). To
ensure that the users choose good passwords, you can enable password
quality controls in `kpasswdd' and `kadmind'. The controls themselves
are done in a shared library or an external program that is used by
`kpasswdd'. To configure in these controls, add lines similar to the
following to your `/etc/krb5.conf':
[password_quality]
policies = external-check builtin:minimum-length module:policyname
external_program = /bin/false
policy_libraries = LIBRARY1.SO LIBRARY2.SO
In `[password_quality]policies' the module name is optional if the
policy name is unique in all modules (members of `policy_libraries').
The built-in polices are
* external-check
Executes the program specified by
`[password_quality]external_program'.
A number of key/value pairs are passed as input to the program,
one per line, ending with the string `end'. The key/value lines
are of the form
principal: PRINCIPAL
new-password: PASSWORD
where PASSWORD is the password to check for the previous PRINCIPAL.
If the external application approves the password, it should return
`APPROVED' on standard out and exit with exit code 0. If it
doesn't approve the password, an one line error message explaining
the problem should be returned on standard error and the
application should exit with exit code 0. In case of a fatal
error, the application should, if possible, print an error message
on standard error and exit with a non-zero error code.
* minimum-length
The minimum length password quality check reads the configuration
file stanza `[password_quality]min_length' and requires the
password to be at least this length.
* character-class
The character-class password quality check reads the configuration
file stanza `[password_quality]min_classes'. The policy requires
the password to have characters from at least that many character
classes. Default value if not given is 3.
The four different characters classes are, uppercase, lowercase,
number, special characters.
If you want to write your own shared object to check password policies,
see the manual page `kadm5_pwcheck(3)'.
Code for a password quality checking function that uses the cracklib
library can be found in `lib/kadm5/sample_password_check.c' in the
source code distribution. It requires that the cracklib library be
built with the patch available at
`ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch'.
A sample policy external program is included in
`lib/kadm5/check-cracklib.pl'.
If no password quality checking function is configured, the only check
performed is that the password is at least six characters long.
To check the password policy settings, use the command
`password-quality' in `kadmin' program. The password verification is
only performed locally, on the client. It may be convenient to set the
environment variable `KRB5_CONFIG' to point to a test version of
`krb5.conf' while you're testing the `[password_quality]' stanza that
way.
Info Catalog
(heimdal.info.gz) Remote administration
(heimdal.info.gz) Setting up a realm
(heimdal.info.gz) Testing clients and servers
automatically generated byinfo2html