Next: , Previous: Remote administration, Up: Setting up a realm

4.7 Password changing

To allow users to change their passwords, you should run kpasswdd. It is not run from inetd.

You might need to add `kpasswd' to your /etc/services as `464/udp'. If your realm is not setup to use DNS, you might also need to add a `kpasswd_server' entry to the realm configuration in /etc/krb5.conf on client machines:

             MY.REALM = {
                     kdc = my.kdc my.slave.kdc
                     kpasswd_server = my.kdc

4.7.1 Password quality assurance

It is important that users have good passwords, both to make it harder to guess them and to avoid off-line attacks (although pre-authentication provides some defence against off-line attacks). To ensure that the users choose good passwords, you can enable password quality controls in kpasswdd and kadmind. The controls themselves are done in a shared library or an external program that is used by kpasswdd. To configure in these controls, add lines similar to the following to your /etc/krb5.conf:

     	policies = external-check builtin:minimum-length modulename:policyname
     	external_program = /bin/false
     	policy_libraries =

In `[password_quality]policies' the module name is optional if the policy name is unique in all modules (members of `policy_libraries'). All built-in policies can be qualified with a module name of `builtin' to unambiguously specify the built-in policy and not a policy by the same name from a loaded module.

The built-in policies are

If you want to write your own shared object to check password policies, see the manual page kadm5_pwcheck(3).

Code for a password quality checking function that uses the cracklib library can be found in lib/kadm5/sample_password_check.c in the source code distribution. It requires that the cracklib library be built with the patch available at

A sample policy external program is included in lib/kadm5/

If no password quality checking function is configured, the only check performed is that the password is at least six characters long.

To check the password policy settings, use the command verify-password-quality in kadmin program. The password verification is only performed locally, on the client. It may be convenient to set the environment variable `KRB5_CONFIG' to point to a test version of krb5.conf while you're testing the `[password_quality]' stanza that way.