System Administration Guide: Security Services

ProcedureHow to Use a Dictionary File to Increase Password Security

A dictionary file can be used by the Kerberos service to prevent words in the dictionary from being used as passwords when creating new credentials. Preventing the use of dictionary terms as passwords makes it harder for someone else to guess any password. By default the /var/krb5/kadm5.dict file is used, but it is empty.

  1. Become superuser on the master KDC.

  2. Edit the KDC configuration file (kdc.conf).

    You need add a line to instruct the service to use a dictionary file. In this example, the dictionary that is included with the spell utility is used. See the kdc.conf(4) man page for a full description of the configuration file.

    kdc1 # cat /etc/krb5/kdc.conf
            kdc_ports = 88,750
            EXAMPLE.COM = {
                    profile = /etc/krb5/krb5.conf
                    database_name = /var/krb5/principal
                    admin_keytab = /etc/krb5/kadm5.keytab
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    sunw_dbprop_enable = true
                    sunw_dbprop_master_ulogsize = 1000
                    dict_file = /usr/share/lib/dict/words
  3. Restart the Kerberos daemons.

    kdc1 # svcadm restart -r network/security/krb5kdc
    kdc1 # svcadm restart -r network/security/kadmin