On Tue, 3 Sep 1996 11:04:20 +0100 "(Paul Blackburn)" wrote:
> John Gardiner Myers <[EMAIL PROTECTED]> wrote (in response to mpb):
>
> mpb> NB: AFS passwords from your kaserver(s) are never presented by "ypcat".
>
> jgm> However, they are no less vulnerable to externally mounted dictionary
> jgm> attacks.
>
> Yes, but a modicum less trivial than the "NIS ypcat passwd crack" attack.
> Given that kpwvalid is easily spoofed, what do other sites do about AFS
> password "quality checking"?
At QUALCOMM, we have provided a different version of passwd, that speaks
to a proxy server, which runs with a token to modify users passwords. This
gives us the following features:
1) Arbitrarily complex password checking. We put all passwords
through a fairly rigorous test at our site.
2) The ability to create password/shadow files for systems that
don't run AFS.
3) The ability to provide arbitrarily complex rules in allowing
accounts-admin folks to modify passwords of other users, without
giving them the keys to AFS. (They don't have the ability to modify
admin level accounts, for example.)
-- Garrett.
