[BLFS Trac] #1465: MIT Kerberos Password Checking

BLFS Trac trac at linuxfromscratch.org
Thu Jan 11 14:33:14 PST 2007


#1465: MIT Kerberos Password Checking
----------------------------------------+-----------------------------------
 Reporter:  randy at linuxfromscratch.org  |        Owner:  blfs-book at linuxfromscratch.org
     Type:  defect                      |       Status:  closed                        
 Priority:  high                        |    Milestone:  future                        
Component:  BOOK                        |      Version:  SVN                           
 Severity:  normal                      |   Resolution:  fixed                         
 Keywords:                              |  
----------------------------------------+-----------------------------------
Changes (by randy at linuxfromscratch.org):

  * status:  new => closed
  * resolution:  => fixed

Old description:

> The MIT Kerberos package has code which will use a dictionary file
> to check for strong passwords.
>
> I suggest that the MIT Kerberos instructions add an "Additional Download"
> section to download the CrackLib dictionary
>
> download: http://prdownloads.sourceforge.net/cracklib/cracklib-words.gz
> MD5 sum:  d18e670e5df560a8745e1b4dede8f84f
> Size:     4.4 MB
>
> and install it using the CrackLib instructions
>
> install -v -m644 -D ../cracklib-words.gz \
>     /usr/share/dict/cracklib-words.gz &&
> gunzip -v /usr/share/dict/cracklib-words.gz &&
> ln -v -s cracklib-words /usr/share/dict/words
>
> then provide instructions in the configuration section to create
> a kdc.conf file and add the dict_file flag to the file.
>
> This would then install MIT Kerberos using strong password checking
> as the default. Unfortunately, I cannot find a way to use an additional
> file (similar to the CrackLib cracklib-extra-words file) to use
> additional, site-specific words.
>
> Perhaps a mention to add these site-specific extra words to the
> CrackLib dictionary would suffice.
>
> Exectuve Summary of this bug:
>
> If a site is worried (smart enough) to use a Kerberos authentication
> system to provide strong and encrypted authentication, but does not
> force users to use strong passwords, the security of the system is
> drastically reduced, and can easily be compromised.

New description:

 The MIT Kerberos package has code which will use a dictionary file
 to check for strong passwords.

 I suggest that the MIT Kerberos instructions add an "Additional Download"
 section to download the CrackLib dictionary

 download: http://prdownloads.sourceforge.net/cracklib/cracklib-words.gz
 MD5 sum:  d18e670e5df560a8745e1b4dede8f84f
 Size:     4.4 MB

 and install it using the CrackLib instructions

 install -v -m644 -D ../cracklib-words.gz \
     /usr/share/dict/cracklib-words.gz &&
 gunzip -v /usr/share/dict/cracklib-words.gz &&
 ln -v -s cracklib-words /usr/share/dict/words

 then provide instructions in the configuration section to create
 a kdc.conf file and add the dict_file flag to the file.

 This would then install MIT Kerberos using strong password checking
 as the default. Unfortunately, I cannot find a way to use an additional
 file (similar to the CrackLib cracklib-extra-words file) to use
 additional, site-specific words.

 Perhaps a mention to add these site-specific extra words to the
 CrackLib dictionary would suffice.

 Exectuve Summary of this bug:

 If a site is worried (smart enough) to use a Kerberos authentication
 system to provide strong and encrypted authentication, but does not
 force users to use strong passwords, the security of the system is
 drastically reduced, and can easily be compromised.

Comment:

 Added information to the MIT Kerberos instructions that
 recommends installing a word dictionary and how to
 configure the installation to use it.

-- 
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/1465#comment:1>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch



More information about the blfs-book mailing list