DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

(heimdal.info.gz) Password changing

Info Catalog (heimdal.info.gz) Remote administration (heimdal.info.gz) Setting up a realm (heimdal.info.gz) Testing clients and servers
 
 4.8 Password changing
 =====================
 
 To allow users to change their passwords, you should run `kpasswdd'.
 It is not run from `inetd'.
 
 You might need to add `kpasswd' to your `/etc/services' as `464/udp'.
 
 4.8.1 Password quality assurance
 --------------------------------
 
 It is important that users have good passwords, both to make it harder
 to guess them and to avoid off-line attacks (although
 pre-authentication provides some defence against off-line attacks).  To
 ensure that the users choose good passwords, you can enable password
 quality controls in `kpasswdd' and `kadmind'.  The controls themselves
 are done in a shared library or an external program that is used by
 `kpasswdd'.  To configure in these controls, add lines similar to the
 following to your `/etc/krb5.conf':
 
      [password_quality]
      	policies = external-check builtin:minimum-length module:policyname
      	external_program = /bin/false
      	policy_libraries = LIBRARY1.SO LIBRARY2.SO
 
 In `[password_quality]policies' the module name is optional if the
 policy name is unique in all modules (members of `policy_libraries').
 
 The built-in polices are
 
    * external-check
 
      Executes the program specified by
      `[password_quality]external_program'.
 
      A number of key/value pairs are passed as input to the program,
      one per line, ending with the string `end'.  The key/value lines
      are of the form
           principal: PRINCIPAL
           new-password: PASSWORD
      where PASSWORD is the password to check for the previous PRINCIPAL.
 
      If the external application approves the password, it should return
      `APPROVED' on standard out and exit with exit code 0.  If it
      doesn't approve the password, an one line error message explaining
      the problem should be returned on standard error and the
      application should exit with exit code 0.  In case of a fatal
      error, the application should, if possible, print an error message
      on standard error and exit with a non-zero error code.
 
    * minimum-length
 
      The minimum length password quality check reads the configuration
      file stanza `[password_quality]min_length' and requires the
      password to be at least this length.
 
    * character-class
 
      The character-class password quality check reads the configuration
      file stanza `[password_quality]min_classes'. The policy requires
      the password to have characters from at least that many character
      classes. Default value if not given is 3.
 
      The four different characters classes are, uppercase, lowercase,
      number, special characters.
 
 
 If you want to write your own shared object to check password policies,
 see the manual page `kadm5_pwcheck(3)'.
 
 Code for a password quality checking function that uses the cracklib
 library can be found in `lib/kadm5/sample_password_check.c' in the
 source code distribution.  It requires that the cracklib library be
 built with the patch available at
 `ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch'.
 
 A sample policy external program is included in
 `lib/kadm5/check-cracklib.pl'.
 
 If no password quality checking function is configured, the only check
 performed is that the password is at least six characters long.
 
 To check the password policy settings, use the command
 `password-quality' in `kadmin' program. The password verification is
 only performed locally, on the client.  It may be convenient to set the
 environment variable `KRB5_CONFIG' to point to a test version of
 `krb5.conf' while you're testing the `[password_quality]' stanza that
 way.
 
Info Catalog (heimdal.info.gz) Remote administration (heimdal.info.gz) Setting up a realm (heimdal.info.gz) Testing clients and servers
automatically generated byinfo2html