Options for enforcing password policies

Jason Edgecombe jason at rampaginggeek.com
Wed May 22 20:53:12 EDT 2013

On 05/22/2013 01:15 PM, Russ Allbery wrote:
> Dagobert Michelsen <dam at opencsw.org> writes:
>> Am 22.05.2013 um 15:41 schrieb "Edgecombe, Jason" <jwedgeco at uncc.edu>:
>>> * passwords may not contain certain characters, like unicode or some
>>> ACSII characters
>> To my knowledge this is not possible, but I also don't see a reason to
>> limit it.
> If users try to use Unicode characters, they potentially get into Unicode
> normalization problems, which can leave them unable to type their password
> in the form that the Kerberos KDC expects it even if the password they're
> typing looks the same on their entry device.  I don't think Kerberos has
> defined a standard normalization that would affect the kpasswd /
> string-to-key layer yet, although some protocols that can use Kerberos for
> password verification define a normalization at a higher level.
> Some control characters can create problems because they can be entered on
> some devices and not on others.
> In both cases, this is a user support issue.  There's no real security
> issue from choosing such passwords, but the user may be unable to enter it
> again later, which prompts calls to the Help Desk, help in resetting
> passwords, etc.
Can I set which character classes must be used?

On Linux & windows, how are users notified that their password is about 
to expire?
How can you do this on windows when the passwords in a different realm 
with cross-realm trust? (i.e. windows is part of an AD domain that 
trusts our MIT KDC).


More information about the Kerberos mailing list