dictionary password screening problem - Kerberos

This is a discussion on dictionary password screening problem - Kerberos ; Hi All- I'm having this weird issue that I'm hoping someone can shed some light on. I've got a dictionary file of words I want to keep from being used in passwords but I can't seem to get it to ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: dictionary password screening problem

  1. dictionary password screening problem

    Hi All-

    I'm having this weird issue that I'm hoping someone can shed some light
    on. I've got a dictionary file of words I want to keep from being used
    in passwords but I can't seem to get it to work. This is what's in my
    kdc.conf file:

    -----
    [kdcdefaults]
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /var/kerberos/krb5kdc/kadm5.dict
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    v4_mode = nopreauth

    [realms]
    REALM.COM = {
    #master_key_type = des3-hmac-sha1
    supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
    des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
    des-cbc-crc:v4 des-cbc-crc:afs3
    dict_file = /var/kerberos/krb5kdc/kadm5.dict
    }

    [logging]
    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmin.log
    -----

    My kadm5.dict file is like 40MB big, but it's just a list of single
    words, one on each line of the file, nothing special. I do have
    policies in place, and they work fine, they just don't stop passwords
    with dictionary words in them. For instance, 'horse78$' works, but the
    'horse' part should make it reject, if I understand this correctly?

    Can anyone maybe see something I'm missing?

    Thanks in advance!
    -erich
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: dictionary password screening problem

    Erich Weiler writes:

    > My kadm5.dict file is like 40MB big, but it's just a list of single
    > words, one on each line of the file, nothing special. I do have
    > policies in place, and they work fine, they just don't stop passwords
    > with dictionary words in them. For instance, 'horse78$' works, but the
    > 'horse' part should make it reject, if I understand this correctly?


    My understanding is that the built-in dictionary checks only stop
    passwords that are, in their entirety, dictionary words, not any password
    that contains a dictionary word.

    --
    Russ Allbery (rra@stanford.edu)

+ Reply to Thread