[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cracklib password check

Well I am curious if this work is of some real use.  If there is a 
better a place to run checks instead of directly against the KDC, then 
I'll not bother.  Most Unix-likes have PAM, so I figure that is where 
most people would place checks(otherwise, why wouldn't someone have done 
this earlier?) in that environment.  However, Kerberos in a mixed 
Unix/Windows environment might need a centralized checking system.  So, 
I am curious if I am not working on something anyone needs. 

There's problems for both which lead me to wonder:
On Heimdal stand-alone -  The current api's for password checking in 
Heimdal do not pass the last password which prevents comparing it 
against the new.  Heimdal really should send back the last password(at 
least in kpasswdd), but I'll have to see what is involved in that.  

On the SAMBA integration - smbk5pwd appears on glance to just get enough 
from Heimdal to apply password changes directly in ldap.  If so, then it 
would not do password checks when changes come from SAMBA.  Would it be 
possible for smbk5pwd to even notify SAMBA of bad passwords if it did?

To me it appears that no one is/has really considering checking password 
strength at the KDC, so I would like to know why.

Henry B.Hotz wrote:

> I don't know if I get a vote or not, but I would hope that Heimdal  
> continues to support being a stand-alone package, with *optional*  
> integration hooks.
> On Apr 3, 2005, at 12:34 PM, Chris Hamilton wrote:
>> Hello,  I was working on a Linux distribution implementing Heimdal.   
>> While I was looking at features to implement I came across the old  
>> cracklib patch.  After porting that to cracklib 2.8(a Redhatized and  
>> maintained cracklib), I realized that it was kind of silly to make 
>> two  cracklib libraries.  Anyway, I have rewritten Linux-PAM's 
>> pam_cracklib  (complete with krb5.conf fetching for the various 
>> hardening flags and  a location for an old passwords file).   I need 
>> to test it more than  just compiling, but is this useful to anyone?  
>> Now that Heimdal is  heavily working to integrate with SAMBA, is 
>> Heimdal the best place to  be checking passwords for enterprises?
>> Thanks,
>> Chris Hamilton
> ------------------------------------------------------------------------ 
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu