Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

pwqual builtin plugins not working

17 views
Skip to first unread message

David Shrimpton

unread,
May 15, 2013, 12:58:06 AM5/15/13
to kerb...@mit.edu
Adding "princ" and "dict" pwqual plugin settings to krb5.conf
and a dict_file setting to realm in realms section of kdc.conf
and restarting kdc and kadmind on MIT 1.11 kerberos installation
doesn't appear to stop the principal name or dictionary words
being set as password using 'kadmin cpw'

eg krb5.conf

[plugins]
pwqual = {
disable = empty
enable_only = princ
enable_only = dict
}

Using "enable_only = empty" or "disable = empty"
does however control whether an empty password can be set.

Is there some other configuration or compilation
setting that is needed to enable the princ and dict builtin plugins ?

Greg Hudson

unread,
May 15, 2013, 1:34:43 AM5/15/13
to David Shrimpton, kerb...@mit.edu
On 05/15/2013 12:58 AM, David Shrimpton wrote:
> Adding "princ" and "dict" pwqual plugin settings to krb5.conf

Built-in modules are always registered and don't need to be specifically
enabled, though they can be disabled. That could probably be made
clearer in the documentation.

> doesn't appear to stop the principal name or dictionary words
> being set as password using 'kadmin cpw'

For consistency with historical behavior, the princ and dict modules
only apply to principals with a password policy. It doesn't matter
what's in the policy object, just that the association is there.

0 new messages