Key history with LDAP backend?
Greg Hudson
ghudson at mit.edu
Tue Nov 4 13:05:07 EST 2014
On 11/04/2014 12:54 PM, Andreas Ntaflos wrote:
> Hi,
>
> I see that the "-history" option for "add_policy" (in kadmin) is not
> supported when using the LDAP backend for Kerberos [1].
We expect to have this implemented this for 1.14 (see
https://github.com/krb5/krb5/pull/132 ) but for now that is true.
> Is there *any* other way to ensure a user doesn't use one of his
> previous four keys when changing passwords and the Kerberos database is
> in LDAP?
You could write a password quality plugin module (see
http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/index.html ) and
maintain your own database of password hashes. You might use
http://www.eyrie.org/~eagle/software/krb5-strength/
as a starting point; it contains password history functionality, but
doesn't provide it for use with MIT krb5.
More information about the Kerberos
mailing list