Re: Password History

On Sat, Aug 16, 2008 at 08:16:49AM +0100, Nico Kadel-Garcia wrote:
Jean-Pierre Radley wrote:
Joe Chasan typed (on Fri, Aug 15, 2008 at 06:56:03PM -0400):
| On Fri, Aug 15, 2008 at 05:58:51PM -0400, Jean-Pierre Radley wrote:
| > Nico Kadel-Garcia typed (on Fri, Aug 15, 2008 at 10:05:19PM +0100):
| > > Joe Chasan wrote:
| > >> Any easy way to implement password history - e.g. user can't re-use last X
| > >> passwords, where X is a configurable parameter?
| > >>
| > >> After an IT audit, auditors were surprised this was not implemented in
| > >> SCO OpenServer (6.0/mp2)
| > >
| > > If you want thorough such control, upgrade to an OS smart enough to use
| > > Kerberos (which I'm not sure SCO has ever published), or use a Kerberized
| > > master password server with an NIS back end for SCO clients. Oddly,
| > > Solaris, Linux, and Active Directory from Windows can all do this. And
| > > oddly, Solaris's NIS requires real hand-massaging to prevent from causing
| > > system problems, even thogh Sun apparently invented it.
| >
| > OSR 6.0.0 includes Kerberos.
|
| then how would one implement this part of it?

Well, I never done it so I can't help you. Looks like you have (more
than enough) reading for weekends from now to Columbus Day at:

http://web.mit.edu/Kerberos/krb5-1.6/#documentation


But, while those documents are wonderful, they don't explain how to manage the
settings on particular operating systems. Active Directory uses Kerberos as
well, but this document will not help you find the settings *there*.

I'm working with OSR 5.0.6: I assume that 'scoadmin' has such settings
available in its GUI, and I'd avoid resetting such things manually in the text
files to avoid confusion and discrepancy between GUI managed components.

I see that OSR6 has kerberos tools, but they are not well documented
at all - from what i gather, OSR6 can pass-off the authentication
process using kerberos tools to a kerberos authentication server - i
don't see how to make SCO OSR6 into one - i see that can use recent
linux or windows servers as one. not sure i want to create such a mess
for what i thought was a simple request.

--
-Joe Chasan- Magnatech Business Systems, Inc.
joe - at - magnatechonline -dot- com Hicksville, NY - USA
http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264
.

Relevant Pages

  • Re: Kerberos 5-minute time skew
    ... Unless you have modified the settings you must not be monitoring the correct dc since this machine won't be able to authenticate nor will the user trying to gain access to the domain. ... Disabling NTLM authentication would quickly prove whether or not you are using kerberos, but you might break a whole lot of other stuff in the process. ... MVP - Directory Services ... The time zone of both servers is EDT, but even though the actual time on the client is more than 5 minutes off from that on the DC, the client is STILL able to login to the domain and STILL able to access file shares setup on the DC. ...
    (microsoft.public.windows.server.active_directory)
  • RE: SOLUTION Re: cannot logon after dcpromo
    ... Do you mean the "Enforce User Logon Restrictions" setting in Kerberos ... the policy is enabled and should only be disabled in ... Here is the information on the Kerberos policy settings themselves: ... To configure an authoritative time server in Windows, ...
    (microsoft.public.win2000.advanced_server)
  • Re: Datadomain Windows 2008 DC
    ... Both settings are currently enabled, do i have to disable both settings in order to allow negotiation between client and server? ... I am willing to detune SMB on one of the 2008 DC's but i want to make sure this setting doesnt negetively effect other applications that are using Kerberos authentication like SQL. ...
    (microsoft.public.windows.server.active_directory)
  • How to kerberized Apache
    ... this settings are done per user, ... The machine you login in to needs to be part of your kerberos environment ... Create HTTP service principal for the web server machine. ... Load the module and set some basic configuration in apache configuration ...
    (comp.protocols.kerberos)