Setting up pw quality check - clhedrick/kerberos GitHub Wiki

Back to Setting up FreeIPA, KDC and LDAP

Password quality rules

The same rules are enforced by two completely separate things: a Kerberos plugin, used for kpasswd, and code in the web password change tools. These contain separate implementation of the same rules, with separate databases of prohibited passwords.

Plugin

I'm using https://www.eyrie.org/~eagle/software/krb5-strength/krb5-strength.html, with changes. Our changed version is in krb5-strength-3.1. Here are the instructions to set up the original:

  • install source
  • ./configure
  • ./make
  • yum install perl-DBI perl-DBD-SQLite
  • for test script, also do yum install perl-File-Slurp perl-Test-MinimumVersion perl-Test-Pod perl-Test-Perl-Critic perl-Test-Spelling
  • make check-local runs tests
But in krb5-strength-3.1, configure has already been done. See RUTGERS there for the changes. The policy I wanted couldn't be done just by configuration, so I had to change the code.

It uses an SQLlite database. That is built in the tools directory in krb5-strength-3.1. Note that it has a file top1000000 that comes from NIST. The build is simple:

  • ./krb5-strength-wordlist -s strengthcheck.sqlite -l 10 top1000000
krb5-strength-wordlist is perl, which is why we need perl DBI installed above.

To install:

  • cp ./plugin/.libs/strength.so /usr/local/libexec/
  • cp strengthcheck.sqlite /usr/local/etc/strengthcheck.sqlite
  • The default IPA password policy requires multiple character classes, and has a minimum password life of an hour. Change it in IPA to one class and minimum of zero. Testing is very painful with a wait between changes, and I don't quite see why that policy would be needed.
To setup the cracklib database. Cracklib isn't actually used in my version, but there may be enough remnants of the code to require the stuff done here. You might try initially without this set of things.
  • got a long list of words from weakpass, merged with /usr/share/dict/words, result in /usr/share/dict/words-crack
  • tools/krb5-strength-wordlist -s database /usr/share/dict/words
  • cp database /usr/local/etc
  • cracklib/mkdict /usr/share/dict/words-crack | packer. This puts its output into /usr/share/cracklib
Restart krb5kdc and kadmin (after also editing krb5.conf)

To install on a new server you need

  • /usr/local/libexec/strength.so
  • /usr/local/etc/strengthcheck.sqlite
  • /usr/share/dict/words-crack
  • /usr/share/dict/words.*
I'm not touching /usr/share/dict/words.

In krb5.conf 

[appdefaults]
  krb5-strength = {
    password_dictionary        = /usr/share/cracklib/pw_dict
    password_dictionary_sqlite = /usr/local/etc/strengthcheck.sqlite
  }

[plugins]
  pwqual = {
    module = strength:/usr/local/libexec/strength.so
    disable = dict
 }

There appears to be a bug in the plugin. Despite documentation, you have to use cracklib, and it seems to ignore the password_dictionary spec in krb5.conf.

Web tool

The password rules are also built into the web tool for changing your password.

It needs an HSQL database. it uses the same top1000000 file, but is built separately. See accounts/src/main/database. There's a README there telling how to build /var/www/tomcat/db.

⚠️ **GitHub.com Fallback** ⚠️