Options for enforcing password policies
Jason Edgecombe
jason at rampaginggeek.com
Wed May 22 20:53:12 EDT 2013
On 05/22/2013 01:15 PM, Russ Allbery wrote:
> Dagobert Michelsen <dam at opencsw.org> writes:
>> Am 22.05.2013 um 15:41 schrieb "Edgecombe, Jason" <jwedgeco at uncc.edu>:
>>> * passwords may not contain certain characters, like unicode or some
>>> ACSII characters
>> To my knowledge this is not possible, but I also don't see a reason to
>> limit it.
> If users try to use Unicode characters, they potentially get into Unicode
> normalization problems, which can leave them unable to type their password
> in the form that the Kerberos KDC expects it even if the password they're
> typing looks the same on their entry device. I don't think Kerberos has
> defined a standard normalization that would affect the kpasswd /
> string-to-key layer yet, although some protocols that can use Kerberos for
> password verification define a normalization at a higher level.
>
> Some control characters can create problems because they can be entered on
> some devices and not on others.
>
> In both cases, this is a user support issue. There's no real security
> issue from choosing such passwords, but the user may be unable to enter it
> again later, which prompts calls to the Help Desk, help in resetting
> passwords, etc.
>
Can I set which character classes must be used?
On Linux & windows, how are users notified that their password is about
to expire?
How can you do this on windows when the passwords in a different realm
with cross-realm trust? (i.e. windows is part of an AD domain that
trusts our MIT KDC).
Thanks,
Jason
More information about the Kerberos
mailing list