Enhanced password strength in IBM network authentication Service for AIX

Learn how to use the IBM network authentication Service (IBM Kerberos) for AIX to enhance the Kerberos user's password

Introduction

The Kerberos principal password is the key used to unlock the Key Distribution Center (KDC) server answer, so if the password is compromised there is no other way to verify the authenticity of the subject. Therefore, the administrator must choose a password that is very difficult to crack, so as not to be cracked by others and affect the security of the system.

You can also suggest that end users increase the strength of their passwords and notify them of password policy related content. This is an external protection, but it also requires an internal mechanism to force end users to choose strong passwords, and for this reason, IBM network authentication Service (NAS) for AIX provides enhanced password strength capabilities.

The IBM NAS Management Server (KADMIND) provides enhanced password strength checking tools. The Kadmind server is responsible for checking and verifying the password of the principal. The server can verify the password based on the password policy assigned to the principal (see the Resources section for reading DeveloperWorks articles about Kerberos Password Policy Management) and the password rules specified in the rule configuration file.

Activate Enhanced Password strength feature

To activate the enhanced Password strength feature in IBM NAS, the administrator needs to specify the location of the rule profile in the Key Distribution Center (KDC) configuration file '/var/krb5/krb5kdc/kdc.conf '. You need to use the ' password_rules ' relationship in the configuration file [realm] section to specify the location of the rule configuration file, as follows:

[kdcdefaults]
　　　　kdc_ports = 88
[realms]
　　　　TEST =　{
　　　　　　　　database_name = /var/krb5/krb5kdc/principal
　　　　　　　　admin_keytab = /var/krb5/krb5kdc/kadm5.keytab
　　　　　　　　acl_file = /var/krb5/krb5kdc/kadm5.acl
　　　　　　　　dict_file = /var/krb5/krb5kdc/kadm5.dict
　　　　　　　　key_stash_file = /var/krb5/krb5kdc/.k5.TEST
　　　　　　　　kadmind_port = 749
　　　　　　　　kdc_ports = 88
　　　　　　　　max_life = 24h 0m 0s
　　　　　　　　max_renewable_life = 7d 0h 0m 0s
　　　　　　　　master_key_type = des3-cbc-sha1
　　　　　　　　supported_enctypes = des3-cbc-sha1:normal arcfour-hmac:normal
　　　　　　　　 aes256-cts:normal des-cbc-md5:normal des-cbc-crc:normal
　　　　　　　　password_rules = /var/krb5/krb5kdc/password_rules.conf
　　　　}