Re: Options for enforcing password policies

2013-05-22 Thread Russ Allbery 
Jason Edgecombe  writes:

> On Linux & windows, how are users notified that their password is about 
> to expire?

Kerberos supports, in the protocol, a field in the Kerberos KDC reply
saying when the keys for the principal (aka the password) will expire (and
when the principal will expire if the whole principal has an expiration
date set).  I believe both MIT Kerberos and Active Directory set it and
Heimdal doesn't, although I'm not positive about the last.

With MIT Kerberos, the client is then supposed to call
krb5_get_init_creds_opt_set_expire_callback to set a callback that will
receive the password and account expiration times along with some other
information.  I believe that the MIT kinit implementation does this.  My
PAM module and k5start do *not* do this (because I only found out about
this facility in the last month).

It looks like Heimdal handles the password expiration display internally
(configured with warn_pwexpire) rather than exposing a callback to the
client of the library, which means that you always get the warning if you
configure a prompter (which PAM and k5start do), but you don't have
application control over it.

I'm not sure if MIT displays the expiration warning by default if no
callback is set.  (I'd check, but I'm feeling lazy at the moment.)

> How can you do this on windows when the passwords in a different realm 
> with cross-realm trust? (i.e. windows is part of an AD domain that 
> trusts our MIT KDC).

All of the above should work through cross-realm scenarios.

-- 
Russ Allbery (r...@stanford.edu) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Options for enforcing password policies

2013-05-22 Thread Jason Edgecombe 
On 05/22/2013 01:15 PM, Russ Allbery wrote:
> Dagobert Michelsen  writes:
>> Am 22.05.2013 um 15:41 schrieb "Edgecombe, Jason" :
>>> * passwords may not contain certain characters, like unicode or some
>>> ACSII characters
>> To my knowledge this is not possible, but I also don't see a reason to
>> limit it.
> If users try to use Unicode characters, they potentially get into Unicode
> normalization problems, which can leave them unable to type their password
> in the form that the Kerberos KDC expects it even if the password they're
> typing looks the same on their entry device.  I don't think Kerberos has
> defined a standard normalization that would affect the kpasswd /
> string-to-key layer yet, although some protocols that can use Kerberos for
> password verification define a normalization at a higher level.
>
> Some control characters can create problems because they can be entered on
> some devices and not on others.
>
> In both cases, this is a user support issue.  There's no real security
> issue from choosing such passwords, but the user may be unable to enter it
> again later, which prompts calls to the Help Desk, help in resetting
> passwords, etc.
>
Can I set which character classes must be used?

On Linux & windows, how are users notified that their password is about 
to expire?
How can you do this on windows when the passwords in a different realm 
with cross-realm trust? (i.e. windows is part of an AD domain that 
trusts our MIT KDC).

Thanks,
Jason

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Options for enforcing password policies

2013-05-22 Thread Russ Allbery 
Dagobert Michelsen  writes:
> Am 22.05.2013 um 15:41 schrieb "Edgecombe, Jason" :

>> * passwords may not contain certain characters, like unicode or some
>> ACSII characters

> To my knowledge this is not possible, but I also don't see a reason to
> limit it.

If users try to use Unicode characters, they potentially get into Unicode
normalization problems, which can leave them unable to type their password
in the form that the Kerberos KDC expects it even if the password they're
typing looks the same on their entry device.  I don't think Kerberos has
defined a standard normalization that would affect the kpasswd /
string-to-key layer yet, although some protocols that can use Kerberos for
password verification define a normalization at a higher level.

Some control characters can create problems because they can be entered on
some devices and not on others.

In both cases, this is a user support issue.  There's no real security
issue from choosing such passwords, but the user may be unable to enter it
again later, which prompts calls to the Help Desk, help in resetting
passwords, etc.

-- 
Russ Allbery (r...@stanford.edu) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Options for enforcing password policies

2013-05-22 Thread Dagobert Michelsen 
Hi Jason,

Am 22.05.2013 um 15:41 schrieb "Edgecombe, Jason" :
> What options are available for enforcing password policies for an MIT 
> kerberos realm?

This is documented here:
  
http://web.mit.edu/kerberos/krb5-devel/doc/admin/admin_commands/kadmin_local.html#add-policy

> The passwords policies would:
> * passwords must be a minimum length

This would be -minlength

> * passwords must contain at least one upper case letter, lowercase letter, 
> number, and a special character.

This is similar to -minclasses

> * passwords may not contain certain characters, like unicode or some ACSII 
> characters

To my knowledge this is not possible, but I also don't see a reason to limit it.

> * password must expire every X days and be changed. How would Linux & windows 
> clients handle that?

This is -maxlife

> * the previous X passwords may not be reused.

This is -history


Best regards

  -- Dago


-- 
"You don't become great by trying to be great, you become great by wanting to 
do something,
and then doing it so hard that you become great in the process." - xkcd #896



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Options for enforcing password policies

2013-05-22 Thread Edgecombe, Jason 
Hi everyone,

What options are available for enforcing password policies for an MIT kerberos 
realm?

The passwords policies would:
* passwords must be a minimum length
* passwords must contain at least one upper case letter, lowercase letter, 
number, and a special character.
* passwords may not contain certain characters, like unicode or some ACSII 
characters
* password must expire every X days and be changed. How would Linux & windows 
clients handle that?
* the previous X passwords may not be reused.

I'm looking to satisfy most, if not all, of these requirements.

Any guidance is appreciated.

Thanks,
Jason

---
Jason Edgecombe | Linux and Solaris Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
jwedg...@uncc.edu | http://coe.uncc.edu |  Facebook
---
If you are not the intended recipient of this transmission or a person 
responsible for delivering it to the intended recipient, any disclosure, 
copying, distribution, or other use of any of the information in this 
transmission is strictly prohibited. If you have received this transmission in 
error, please notify me immediately by reply e-mail or by telephone at 
704-687-1943.  Thank you.




Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos