kadmin-remctl 3.4 released

Russ Allbery rra at stanford.edu
Wed Jul 10 23:31:17 EDT 2013


I'm pleased to announce release 3.4 of kadmin-remctl.

kadmin-remctl provides a remctl backend that implements basic Kerberos
account administration functions (create, delete, enable, disable, reset
password, examine) plus user password changes and a call to strength-check
a given password.  It can also provide similar management of instances and
creation, deletion, and management of accounts in Heimdal, MIT Kerberos,
Active Directory, and an AFS kaserver where appropriate.  Also included is
a client for privileged users to use for password resets and a simple
client for password chnages via the Kerberos password change protocol.
Many of the defaults and namespace checks are Stanford-specific, but it
can be modified for other sites.

Changes from previous release:

    Set the disallow-svr flag on all newly-created principals.  This
    prohibits obtaining service tickets for the principal, which provides
    some hardening against brute force attacks.  Since the create command
    is designed for creation of user principals, not service principals,
    and use of service tickets for user principals is quite obscure and
    rare in Kerberos, this seems like a better default.

    Change the default allowed principal regex to allow two-character user
    principals.  This is just a default and can be overridden by setting
    the allowed key in the configuration.

You can download it from:

    <http://www.eyrie.org/~eagle/software/kadmin-remctl/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list