[1656] in Kerberos_V5_Development
Re: default dictionary file?
daemon@ATHENA.MIT.EDU (Jeff Bigler)
Wed Aug 28 18:24:13 1996
Date: Wed, 28 Aug 1996 18:24:27 -0400
To: bjaspan@MIT.EDU
Cc: krbdev@MIT.EDU
In-Reply-To: <9608281953.AA18296@DUN-DUN-NOODLES.MIT.EDU> (bjaspan@MIT.EDU)
Reply-To: jcb@MIT.EDU
From: Jeff Bigler <jcb@MIT.EDU>
> From: bjaspan@MIT.EDU
> Date: Wed, 28 Aug 1996 15:50:20 -0400
>
> kadmind currently considers a dictionary file to be optional. If no
> dictionary file is specified, it does not complain and simply does not
> perform a dictionary check when a password is changed. If a
> dictionary file is specified but the file itself does not exist,
> kadmind syslogs a warning at startup but continues to operate.
>
> So, now I am implementing the new default semantics for kadm5
> configuration parameters. Questions: (1) Should there be a default
> dictionary file, thus eliminating the possibility that no dictionary
> is ever specified (because the default will be filled in if none is)?
> and (2) should kadmind fail or just log a warning if the specified
> dictionary file does not exist?
>
> Barry
IMO, the primary advantage to having a default dictionary is because
this reduces the effort barrier to using one. If all someone has to do
is put any words he doesn't want people to use as passwords into a
particular file, he'll be more likely to do so than if he has to create
the file manually and put the appropriate entry in kdc.conf.
> Date: Wed, 28 Aug 1996 16:23:54 EDT
> From: Ezra Peisach <epeisach@MIT.EDU>
>
>
> I would think that if a sysadmin said that there is a dictionary and none is
> present, then the system should scream loudly and not start up as it
> increases the potential for someone to choose a poor password.
I agree with this.
> Of course, what should be the action if the system starts up, then the
> sysadmin deletes the dictionary - should kadmin not allow a password
> file change?
>
> Ezra
The question is how bad is it for someone to be able to choose a bad
password because of a sysadmin glitch? Whether we like it or not, one
reason some people install Kerberos is to give their users the
convenience of not having to remember/type several passwords. In an
installation where this is the driving force behind installing Kerberos
and they don't care much about the security aspects, the sysadmin might
not care if someone has an insecure password. OTOH, in a
security-conscious installation, it's a serious concern. The compromise
that occurs to me is a compile-time flag that can be overridden by an
entry in kdc.conf, and/or an argument to kadmind. If the flag were set
to "require", kadmin would refuse a password change if the dictionary
file were missing. If it were set to "warn", kadmin would allow the
password change, but would print a warning to syslog, and possibly
stderr as well. If the flag were not set, kadmin would allow the
password change and not complain. I think the default state of such a
flag should be "warn".
Jeff Bigler
