Options for enforcing password policies

[Edgecombe, Jason]

Hi everyone,

What options are available for enforcing password policies for an MIT kerberos realm?

The passwords policies would:
* passwords must be a minimum length
* passwords must contain at least one upper case letter, lowercase letter, number, and a special character.
* passwords may not contain certain characters, like unicode or some ACSII characters
* password must expire every X days and be changed. How would Linux & windows clients handle that?
* the previous X passwords may not be reused.

I'm looking to satisfy most, if not all, of these requirements.

Any guidance is appreciated.

Thanks,
Jason

---------------------------------------------------------------------------
Jason Edgecombe | Linux and Solaris Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
jwed...@uncc.edu | http://coe.uncc.edu | �Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-1943.� Thank you.

[Dagobert Michelsen]

Hi Jason,

Am 22.05.2013 um 15:41 schrieb "Edgecombe, Jason" <jwed...@uncc.edu>:
> What options are available for enforcing password policies for an MIT kerberos realm?

This is documented here:
http://web.mit.edu/kerberos/krb5-devel/doc/admin/admin_commands/kadmin_local.html#add-policy

> The passwords policies would:
> * passwords must be a minimum length

This would be -minlength

> * passwords must contain at least one upper case letter, lowercase letter, number, and a special character.

This is similar to -minclasses

> * passwords may not contain certain characters, like unicode or some ACSII characters

To my knowledge this is not possible, but I also don't see a reason to limit it.

> * password must expire every X days and be changed. How would Linux & windows clients handle that?

This is -maxlife

> * the previous X passwords may not be reused.

This is -history


Best regards

-- Dago


--
"You don't become great by trying to be great, you become great by wanting to do something,
and then doing it so hard that you become great in the process." - xkcd #896

[Russ Allbery]

Dagobert Michelsen <d...@opencsw.org> writes:
> Am 22.05.2013 um 15:41 schrieb "Edgecombe, Jason" <jwed...@uncc.edu>:

>> * passwords may not contain certain characters, like unicode or some
>> ACSII characters

> To my knowledge this is not possible, but I also don't see a reason to
> limit it.

If users try to use Unicode characters, they potentially get into Unicode
normalization problems, which can leave them unable to type their password
in the form that the Kerberos KDC expects it even if the password they're
typing looks the same on their entry device. I don't think Kerberos has
defined a standard normalization that would affect the kpasswd /
string-to-key layer yet, although some protocols that can use Kerberos for
password verification define a normalization at a higher level.

Some control characters can create problems because they can be entered on
some devices and not on others.

In both cases, this is a user support issue. There's no real security
issue from choosing such passwords, but the user may be unable to enter it
again later, which prompts calls to the Help Desk, help in resetting
passwords, etc.

--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>

[Jason Edgecombe]

Can I set which character classes must be used?

On Linux & windows, how are users notified that their password is about
to expire?
How can you do this on windows when the passwords in a different realm
with cross-realm trust? (i.e. windows is part of an AD domain that
trusts our MIT KDC).

Thanks,
Jason

[Russ Allbery]

Jason Edgecombe <ja...@rampaginggeek.com> writes:

> On Linux & windows, how are users notified that their password is about
> to expire?

Kerberos supports, in the protocol, a field in the Kerberos KDC reply
saying when the keys for the principal (aka the password) will expire (and
when the principal will expire if the whole principal has an expiration
date set). I believe both MIT Kerberos and Active Directory set it and
Heimdal doesn't, although I'm not positive about the last.

With MIT Kerberos, the client is then supposed to call
krb5_get_init_creds_opt_set_expire_callback to set a callback that will
receive the password and account expiration times along with some other
information. I believe that the MIT kinit implementation does this. My
PAM module and k5start do *not* do this (because I only found out about
this facility in the last month).

It looks like Heimdal handles the password expiration display internally
(configured with warn_pwexpire) rather than exposing a callback to the
client of the library, which means that you always get the warning if you
configure a prompter (which PAM and k5start do), but you don't have
application control over it.

I'm not sure if MIT displays the expiration warning by default if no
callback is set. (I'd check, but I'm feeling lazy at the moment.)

> How can you do this on windows when the passwords in a different realm
> with cross-realm trust? (i.e. windows is part of an AD domain that
> trusts our MIT KDC).

All of the above should work through cross-realm scenarios.