Hello Greg, Thank you so much for your quick reply. What I found with some tests is that while length and character classes rules are being correctly applying using cpw, other rules like minlife are not respected. For example, I set a policy with the following rules:
Policy: TEST Maximum password life: 2629800 Minimum password life: 864000 Minimum password length: 10 Minimum number of password character classes: 3 Number of old keys kept: 4 Maximum password failures before lockout: 4 Password failure count reset interval: 0 days 03:00:00 Password lockout duration: 0 days 03:00:00 I can change all the time the password of the principal with that policy applied despite the minimum password life described. Also I'm able to apply old passwords and the history is not being respected, but I'm afraid that's the expected behavior because of the LDAP database module. Using kpasswd, then the reject message is correctly prompted: Password change rejected: Password cannot be changed because it was changed too recently. Please wait until Sun Aug 23 07:42:10 2020 before you change it. If you need to change your password before then, contact your system security administrator. I understand that cpw is more like the administration password changing tool and in order to be able to change the password whenever it requires by the system administrator, the minimum password life is not being applied. But then, Any ideas about how could we proceed? Our kerberos version: 1.12.5-40.34.1 OS: Suse 12 SP3 We are not able to install more recent software due to some customer requirements, although would be apprecited to know if further versions have a different behavior. Dario Garcia Díaz-Miguel GGCS-SES Unit GGCS SKMF Infrastructure Division GMV C\ de Isaac Newton, 11 28760, Tres Cantos, Madrid España +34 918 07 21 00 +34 918 07 21 99 www.gmv.com -----Mensaje original----- De: Greg Hudson [mailto:ghud...@mit.edu] Enviado el: miércoles, 12 de agosto de 2020 17:52 Para: Dario García Díaz-Miguel <dgd...@gmv.com>; kerberos@mit.edu Asunto: Re: cpw ignoring password policies On 8/12/20 5:39 AM, Dario García Díaz-Miguel wrote: > kadmin -k -t $KEYTABLOCATION -p $SERVICEPRINCIPAL -q "cpw $PRINCIPAL -pw > $PASSWORD" > > What we found is that this command ignores the password policy assigned to > the principal, including all the complexity rules and history options. No > matter if the command is launched in a kadmin console interactive mode, > policies are totally ignored. > > If we use: > > kpasswd $PRINCIPAL That's unexpected, and it's not the behavior I see in a test environment: $ kadmin.local addpol -minlength 6 testpol $ kadmin.local modprinc -policy testpol user $ kadmin -k -p user/admin cpw -pw pw user change_password: Password is too short while changing password for "u...@krbtest.com". $ kadmin.local cpw -pw pw user change_password: Password is too short while changing password for "u...@krbtest.com". What software and version is running on the kadmin server? P Please consider the environment before printing this e-mail. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
