cpw ignoring password policies
Greg Hudson
ghudson at mit.edu
Thu Aug 13 11:35:59 EDT 2020
On 8/13/20 1:51 AM, Dario García Díaz-Miguel wrote:
> I can change all the time the password of the principal with that policy applied despite the minimum password life described.
That's true. The kadmin server code deliberately only checks the
minimum life if a principal is changing its own password.
> Also I'm able to apply old passwords and the history is not being respected, but I'm afraid that's the expected behavior because of the LDAP database module.
Right, LDAP password history is implemented in release 1.15 but not in 1.12.
> I understand that cpw is more like the administration password changing tool and in order to be able to change the password whenever it requires by the system administrator, the minimum password life is not being applied.
> But then, Any ideas about how could we proceed?
I guess you could print a kadmin ticket for the user from the KDB and
then authenticate with it:
kinit -k -c somefilename -t KDB: -S kadmin/admin username
kadmin -c somefilename -q "cpw -pw password username"
kinit -t KDB: support was added in release 1.9, so should be available.
More information about the Kerberos
mailing list