On 05/22/2013 01:15 PM, Russ Allbery wrote: > Dagobert Michelsen <d...@opencsw.org> writes: >> Am 22.05.2013 um 15:41 schrieb "Edgecombe, Jason" <jwedg...@uncc.edu>: >>> * passwords may not contain certain characters, like unicode or some >>> ACSII characters >> To my knowledge this is not possible, but I also don't see a reason to >> limit it. > If users try to use Unicode characters, they potentially get into Unicode > normalization problems, which can leave them unable to type their password > in the form that the Kerberos KDC expects it even if the password they're > typing looks the same on their entry device. I don't think Kerberos has > defined a standard normalization that would affect the kpasswd / > string-to-key layer yet, although some protocols that can use Kerberos for > password verification define a normalization at a higher level. > > Some control characters can create problems because they can be entered on > some devices and not on others. > > In both cases, this is a user support issue. There's no real security > issue from choosing such passwords, but the user may be unable to enter it > again later, which prompts calls to the Help Desk, help in resetting > passwords, etc. > Can I set which character classes must be used?
On Linux & windows, how are users notified that their password is about to expire? How can you do this on windows when the passwords in a different realm with cross-realm trust? (i.e. windows is part of an AD domain that trusts our MIT KDC). Thanks, Jason ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos