Question about cross-realm dictionary's and forcing passwords to be different for principals across different realms.

Kristian Kostecky kris at theendless.org
Tue Mar 30 20:05:03 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I hope someone can help out here.  I've been playing around with this for a day and can't seem to think of a way to enforce that principals across two realms (served by the same kerberos server) are not allowed to use the same passwords.  I know this isn't a supported feature, but if there is a way to do it that I'm missing please help me out.  Here's my situation and what I want to happen ideally and what I've tried:

I have two realms with the same user/instance in each.  Obviously they are different principals as the realms are different, but you get the idea.  They work independently.  However, the whole point of this exercise is to enforce that the user in each realm never picks the same password for both realms.  This isn't inherently supported, but I can think of a few ways to do this.  ie. create different password policies on each that force the user to pick a password of a certain length of characters.  However, this still wont' ensure that kerberos does its usual password variation check against both realms.

I thought of dumping the db, modifying the realm aspect of the principal and loading it in to a different db/realm, then setting all the principals to force a password reset, in an effort to save the previous passwords that the user has picked and prevent them from using them.  However, when I change the domain/realm int he dump file and try to import it, I get an error:

./tmp(2): cannot read extra data contents
unknown record type "M" on line 2
load: error processing line 2 of ./tmp
load: Kerberos version 5 release 1.3 restore failed

Obviously there is some sort of encrypted data that doesn't match the clear test data or some CRC checking of sorts, so modifying the dump files and importing them with new realm info doesn't work.

I don't believe there is a way to decrypt all the user passwords and stick them in a dictionary file either.  I have the master key obviously, but I don't know if that helps decrypt them.  However, I'm under the impression that this should be possible as kerberos uses the user's key to hash the data it sends across the network.

Any help in this regard would be appreciated.

Kris.

PGP Key: 4CC63A18
PGP Server: pool.sks-keyservers.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAkuykbIACgkQ2C/J5/UUQWFJFQCeKcM8nRu4E56IacszjTeRdtiW
4/0AnjevqqgHMSTQFaxiDF2Gj+9FNTzj
=hksp
-----END PGP SIGNATURE-----




More information about the Kerberos mailing list