Key history with LDAP backend?

Greg Hudson ghudson at mit.edu
Tue Nov 4 13:05:07 EST 2014


On 11/04/2014 12:54 PM, Andreas Ntaflos wrote:
> Hi,
> 
> I see that the "-history" option for "add_policy" (in kadmin) is not
> supported when using the LDAP backend for Kerberos [1].

We expect to have this implemented this for 1.14 (see
https://github.com/krb5/krb5/pull/132 ) but for now that is true.

> Is there *any* other way to ensure a user doesn't use one of his
> previous four keys when changing passwords and the Kerberos database is
> in LDAP?

You could write a password quality plugin module (see
http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/index.html ) and
maintain your own database of password hashes.  You might use
http://www.eyrie.org/~eagle/software/krb5-strength/
as a starting point; it contains password history functionality, but
doesn't provide it for use with MIT krb5.


More information about the Kerberos mailing list