Randall Wood
2009-Jul-27 20:55 UTC
[389-users] Password policy: Dictionary of unauthorized tokens
The RedHat/FDS documentation suggests that FDS can use a dictionary of unauthorized tokens in a password policy, although it does not seem configurable. Is there a dictionary that FDS uses, and is it possible to add words to it if so desired? -- Randall Wood Secure Systems Engineer Trusted Computer Solutions 2350 Corporate Park Drive, Suite 500 Herndon, Virginia 20170 Tel (703) 537-4382 | Fax (703) 318-5041 rwood@trustedcs.com http://www.trustedcs.com
Rich Megginson
2009-Jul-27 21:00 UTC
Re: [389-users] Password policy: Dictionary of unauthorized tokens
Randall Wood wrote:> The RedHat/FDS documentation suggests that FDS can use a dictionary of > unauthorized tokens in a password policy, although it does not seem > configurable. >Where does it say that, and what exactly does it say?> Is there a dictionary that FDS uses, and is it possible to add words to > it if so desired? > >
Nathan Kinder
2009-Jul-27 22:38 UTC
Re: [389-users] Password policy: Dictionary of unauthorized tokens
On 07/27/2009 01:55 PM, Randall Wood wrote:> The RedHat/FDS documentation suggests that FDS can use a dictionary of > unauthorized tokens in a password policy, although it does not seem > configurable. > > Is there a dictionary that FDS uses, and is it possible to add words to > it if so desired? >That description is not really correct. There is a check that ensures that values used in common attribtues of the user entry can not be present in the password. This prevents things like using your uid or cn in your password. The values are broken into tokens of a configurable length and then compared to the userPassword value.