[4672] in Kerberos
Re: Software for front-end to kerberos database
daemon@ATHENA.MIT.EDU (David Mazieres)
Thu Feb 23 03:58:54 1995
To: kerberos@MIT.EDU
Date: 23 Feb 1995 07:51:19 GMT
From: dm@das.harvard.edu (David Mazieres)
In article <3igjgm$ldr@griffin.itc.gu.edu.au>,
Rex Baker <rex@kraken.itc.gu.edu.au> wrote:
>Hi,
>
>I have been playing around with kerberos for a while
>and was wondering if anyone has written any software
>to do either or both of the following.
>
>1. A front end to the password allocation to ensure
>that more secure guidelines are used when choosing
>a password. Such as; at least 8 characters long, a mixture
>of alpha and numeric characters.
>
>2. A program similar to "crack" which can check kerberos
>passwords against dictionaries to ensure that easily
>"guessable" passwords haven't been chosen.
Actually, you can do better than crack since the password
hashing doesn't use a salt (99% sure--someone care to prove
me wrong?). Thus, you should be able to check all passwords
at once.
The Cygnus version of kerberos IV (CNS) comes with a utility
called "build_pwfile". This creates a database of encrypted
bad passwords from a dictionary you supply. Then, if you
start kadmind with the -F (fascist) password changing option,
it will reject bad passwords. If you don't use -F, it will
still warn users about bad passwords.
I'm not sure if this comes with vanilla MIT kerberos IV or
not. If not, the CNS sources are free--you can modify them
to work in your environment.
David
