[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Many questions regarding [password_quality]



Hi,

I'm having a hard time understanding how the
password_policy syntax must be written. I hope you
could help me.

In the documentation(0.7.2):
_____________________________________
"To configure in these controls, add lines similar to
the following to your `/etc/krb5.conf':"

[password_quality]
   policies = external-check builtin:minimum-length   
     module:policyname
   external_program = /bin/false
   policy_libraries = LIBRARY1.SO LIBRARY2.SO
__________________________________________

It's kind of confusing to me, specially the first line
(policies = ...), lots of confusing keywords
("builtin", "module", "policyname") yet very little
explanation. I'm guessing that I would put here the
list of policies I want to implement so for
[password_quality]policies, I put:

policies =
external-check:minimum-length:character-class

Are these correct, or should it be,
"external_program", "min_length", "min_classes"???


then to support those policies, I would add these
following lines:

external_program =
/usr/local/heimdal/bin/check-cracklib.pl
min_length = 10
min_classes = 4

Are those last two lines correct or should it be
"minimum-length" and "character-classes"... either
way, I got this after running verify_krb5_conf:

verify_krb5_conf: /password_quality/min_length:
unknown or wrong type
verify_krb5_conf: /password_quality/min_classes:
unknown or wrong type


google brought me here:
http://www.stacken.kth.se/lists/heimdal-discuss/2005-06/msg00102.html

.. but i'm not sure what it does (seems like a patch
to krb5.conf manual...)

What's more confusing is how will I ever make the
cracklib to work with this external program such as
that of check-cracklib.pl... The documentation says
that in order to use the sample library provided in
the source (sample_password_check.c) as well as the
example policy external program(check_cracklib.pl),
they require cracklib library built with the
cracklib.patch found in ftp.pdc.. The box is running
FreeBSD6.1, cracklib2.7 is installable via ports
however, I'm not really sure how to patch the cracklib
source.. if I manually patch and build and  install
the cracklib2.7, no crack.h or packer.h(required by
check-cracklib.pl) gets installed (only the 3 files
pw_dict.hwm    pw_dict.pwd pw_dict.pwi) unlike when
installing via ports system.

Now I have an installation of Cracklib2.7 but without
that patch found in ftp.pdc.. I just hope it would
work correctly with check-cracklib.pl...:-(
Not sure either how to test this...

Lastly, on my old working heimdal0.7.1, when I run pwq
on a principal while on the kadmin prompt, and pass it
let's say a short password, it says:
kadmin> pwq jay mypass
kadmin: kadm5_check_password_quality: Password too
short

Now, on my new installation heimdal0.7.2, it says:
kadmin: kadm5_check_password_quality: failed to find
password verifier function

I'm not sure what configure option I missed when I
started building the source to enable this password
verifier... 

My goal really is to have a good quality password for
every user by enforcing min-length, classes as well as
having kadmind use the cracklib..


Thanks
-jay









__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com