PreviousNext

Managing Password Strength and Password Generation

The DCE password format policy described in Maintaining Policies and Properties enables you to control the following characteristics of user passwords:

· Minimum password length

· Whether a password can be all spaces

· Whether a password can consist of alphanumeric characters only

You can extend these password strength policies in your cell by creating a password management server to perform customized password checking and generation. DCE provides an example password validation/generation server, pwd_strengthd(8sec), which you can use as the basis for a password management server that suits your cell's requirements. DCE also provides a Password Management API that application developers can use to acquire information about the principal's password management policy, and to request generated passwords from the password management server. See the OSF DCE Application Development Guide - Core Components for information on the Password Management API.

Having created this server, you can then constrain a principal's password to be validated by this server when it is created and whenever it is changed. You do this by attaching instances of the pwd_val_type and pwd_mgmt_binding ERAs to the principal as follows:

pwd_val_type
Specifies password creation options for the principal as follows:

0
(NONE) Specifies that the principal's password is subject only to DCE standard policy. (See Maintaining Policies and Properties for a description of DCE standard policy.) Specifying 0 (NONE) is equivalent to not attaching an ERA instance to the principal.

1
(USER_SELECT) Specifies that the principal must supply password text as input to the password management server specified in the pwd_mgmt_binding ERA.

2
(USER_CAN_SELECT) Specifies that the principal can either supply password text or specify that the password management server specified in the pwd_mgmt_binding ERA generate a password.

3
(GENERATION_REQUIRED) Specifies that the password management server specified in the pwd_mgmt_binding ERA should generate a password for the principal.

pwd_mgmt_binding
Specify a binding to your cell's password management server.

The following is an example of a dcecp command to create a principal and attach pwd_val_type and pwd_mgmt_binding ERAs:

dcecp> principal create smitty -attribute {{pwd_val_type 2} \

{pwd_mgmt_binding \

{dce /.:/pwd_strength pktprivacy secret name} \

{/.:/pwd_mgmt/pwd_strength}}}}

dcecp>

For further information on how to use dcecp to attach ERAs to principals, see Creating and Using Extended Registry Attributes. For information on requesting generated passwords when changing a password, see Generating Passwords with dcecp.

For information on configuring a password management server, see the following topics and OSF DCE Administration Guide - Introduction.

More:

Managing a Password Management Server

Generating Passwords by Using dcecp