(heimdal.info) Password changing
Info Catalog
(heimdal.info) Remote administration
(heimdal.info) Setting up a realm
(heimdal.info) Testing clients and servers
Password changing
=================
To allow users to change their passwords, you should run `kpasswdd'.
It is not run from `inetd'.
You might need to add `kpasswd' to your `/etc/services' as 464/udp.
Password quality assurance
--------------------------
It is important that users have good passwords, both to make it harder
to guess them and to avoid off-line attacks (pre-authentication provides
some defense against off-line attacks). To ensure that the users choose
good passwords, you can enable password quality controls in `kpasswdd'.
The controls themselves are done in a shared library that is used by
`kpasswdd'. To configure in these controls, add lines similar to the
following to your `/etc/krb5.conf':
[password_quality]
check_library = LIBRARY
check_function = FUNCTION
The function FUNCTION in the shared library LIBRARY will be called for
proposed new passwords. The function should be declared as:
const char *
function(krb5_context context, krb5_principal principal, krb5_data *pwd);
The function should verify that PWD is a good password for PRINCIPAL
and if so return `NULL'. If it is deemed to be of low quality, it
should return a string explaining why that password should not be used.
Code for a password quality checking function that uses the cracklib
library can be found in `lib/kadm5/sample_password_check.c' in the
source code distribution. It requires the cracklib library built with
the patch available at
<ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch>.
If no password quality checking function is configured, it is only
verified that it is at least six characters of length.
Info Catalog
(heimdal.info) Remote administration
(heimdal.info) Setting up a realm
(heimdal.info) Testing clients and servers
automatically generated byinfo2html