Dagobert Michelsen <[email protected]> writes: > Am 22.05.2013 um 15:41 schrieb "Edgecombe, Jason" <[email protected]>:
>> * passwords may not contain certain characters, like unicode or some >> ACSII characters > To my knowledge this is not possible, but I also don't see a reason to > limit it. If users try to use Unicode characters, they potentially get into Unicode normalization problems, which can leave them unable to type their password in the form that the Kerberos KDC expects it even if the password they're typing looks the same on their entry device. I don't think Kerberos has defined a standard normalization that would affect the kpasswd / string-to-key layer yet, although some protocols that can use Kerberos for password verification define a normalization at a higher level. Some control characters can create problems because they can be entered on some devices and not on others. In both cases, this is a user support issue. There's no real security issue from choosing such passwords, but the user may be unable to enter it again later, which prompts calls to the Help Desk, help in resetting passwords, etc. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
