Miscellaneous questions regarding krb5.conf?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Miscellaneous questions regarding krb5.conf?

jay alvarez-2
Good day!

I have a few questions:

1. Where is that [password_quality] section located in the manual as discussed in this link: http://www.openinput.com/auth-howto/ar01s06.html, where I can set the minimum password length as well as the allowable characters and possible the invalid password possibly taken from dictionary?

2. "privilages" command in kadmin doesn't work
3. perhaps the krb5.conf manual should indicate which sections/bindings is for a client and which is for a server. When I kinit from a machine with a lifetime of "10 hours" (kinit -l "10 hours" [hidden email]) I got a ticket with a ten hours lifetime even if the "ticket_lifetime" in the [libdefaults] section of the kdc's krb5.conf is set to only 8 hours as well as in the clients krb5.conf.

4. How can I enforce the attributes of the tickets obtained from the kdc by a client (eg. I don't want any ticket to be forwardable?) I noticed that kinit uses! the [libdefaults] section to look for possible ticket attributes even though none of those attributes exists in the kdc's krb5.conf (libdefaults) section.


That's all for now...
Thanks.


Yahoo! Shopping
Find Great Deals on Holiday Gifts at Yahoo! Shopping
Reply | Threaded
Open this post in threaded view
|

Re: Miscellaneous questions regarding krb5.conf?

Brandon S Allbery KF8NH-2

On Dec 14, 2005, at 10:49 , jay alvarez wrote:

> 3. perhaps the krb5.conf manual should indicate which sections/
> bindings is for a client and which is for a server. When I kinit  
> from a machine with a lifetime of "10 hours" (kinit -l "10 hours"  
> [hidden email]) I got a ticket with a ten hours lifetime even  
> if the "ticket_lifetime" in the [libdefaults] section of the kdc's  
> krb5.conf is set to only 8 hours as well as in the clients krb5.conf.

Er?  The default "ticket_lifetime" is just that, a default lifetime  
used if the client doesn't specify one.  If you want to clamp it then  
you need to specify a maximum lifetime, not a default.

--
brandon s. allbery     [linux,solaris,freebsd,perl]      
[hidden email]
system administrator  [openafs,heimdal,too many hats]  
[hidden email]
electrical and computer engineering, carnegie mellon university      
KF8NH



Reply | Threaded
Open this post in threaded view
|

Re: Miscellaneous questions regarding krb5.conf?

Dave Love
In reply to this post by jay alvarez-2
jay alvarez <[hidden email]> writes:

>  1. Where is that [password_quality] section located in the manual
>  as discussed in this link:

I don't know about that link, but you want the node `Password
changing' in the manual.  Heimdal 0.7 changed (extended) this area
(and I'm not sure whether the manual was always accurate -- I think I
supplied some changes for that section).

>  4. How can I enforce the attributes of the tickets obtained from
>  the kdc by a client (eg. I don't want any ticket to be
>  forwardable?)

Setting attributes on principals is explained in the docs, but I don't
remember where off-hand.

[Any chance of not posting `HTML'?]