"(Paul Blackburn)" <[EMAIL PROTECTED]> writes:
> Yes, but a modicum less trivial than the "NIS ypcat passwd crack" attack.
> Given that kpwvalid is easily spoofed, what do other sites do about AFS
> password "quality checking"?
Here at the University of Michigan, we run a modified copy of MIT's
"kadmind" on the database servers. This program supports MIT's
TCP based password changing protocol, which means it's easily used
by clients on macintosh, windows, as well as Unix workstations.
Most users here on campus actually use windows or macintosh machines.
At the moment, Unix is rather more popular than might be expected,
but only because the current "method of choice" to access mail
is via pine on Unix. With this exception, and a few others,
Unix is actually not so common on campus.
Our modifications fall into two classes:
(1) talk to AFS kaserver via rx (instead of the MIT data files.)
(2) implement password quality checking - the protocol already
has hooks to do this, so the logic is quite simple.
Several other sites have also independently modified kadmind
towards the same end.
This doesn't stop anyone who *really* wants to from using either a
copy of Transarc's kpasswd (or kas) to set their password directly,
There is nothing we could reasonably do to stop people from running any
client software they wanted. Therefore, the only way we could *reasonably*
block this would be to actually disable or limit it directly in the server.
We've discussed doing just this here, but it's not quite as convenient
as it sounds. It also doesn't really buy all that much security. In
the final analysis, the security of passwords is only as good as people's
understanding and respect of the value of secure passwords. Anyone
who wanted to circumvent "kpwvalid" to pick a bad password is probably
already willing to print their password on the bottom of the keyboard,
to share it with their SO, or with their parents, friends, or to describe
their password selection algorithm with the aforementioned persons.
The only cure to such problems is user education; without that, the
most secure technical solution is completely and totally ineffectual.
-Marcus Watts
UM ITD PD&D Umich Systems Group
