[36600] in Kerberos
Re: Key history with LDAP backend?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Nov 4 13:05:27 2014
Message-ID: <54591553.1030001@mit.edu>
Date: Tue, 04 Nov 2014 13:05:07 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Andreas Ntaflos <daff@pseudoterminal.org>, kerberos@mit.edu
In-Reply-To: <545912C2.9090600@pseudoterminal.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 11/04/2014 12:54 PM, Andreas Ntaflos wrote:
> Hi,
>
> I see that the "-history" option for "add_policy" (in kadmin) is not
> supported when using the LDAP backend for Kerberos [1].
We expect to have this implemented this for 1.14 (see
https://github.com/krb5/krb5/pull/132 ) but for now that is true.
> Is there *any* other way to ensure a user doesn't use one of his
> previous four keys when changing passwords and the Kerberos database is
> in LDAP?
You could write a password quality plugin module (see
http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/index.html ) and
maintain your own database of password hashes. You might use
http://www.eyrie.org/~eagle/software/krb5-strength/
as a starting point; it contains password history functionality, but
doesn't provide it for use with MIT krb5.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos