[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cracklib password check
Well I am curious if this work is of some real use. If there is a
better a place to run checks instead of directly against the KDC, then
I'll not bother. Most Unix-likes have PAM, so I figure that is where
most people would place checks(otherwise, why wouldn't someone have done
this earlier?) in that environment. However, Kerberos in a mixed
Unix/Windows environment might need a centralized checking system. So,
I am curious if I am not working on something anyone needs.
There's problems for both which lead me to wonder:
On Heimdal stand-alone - The current api's for password checking in
Heimdal do not pass the last password which prevents comparing it
against the new. Heimdal really should send back the last password(at
least in kpasswdd), but I'll have to see what is involved in that.
On the SAMBA integration - smbk5pwd appears on glance to just get enough
from Heimdal to apply password changes directly in ldap. If so, then it
would not do password checks when changes come from SAMBA. Would it be
possible for smbk5pwd to even notify SAMBA of bad passwords if it did?
To me it appears that no one is/has really considering checking password
strength at the KDC, so I would like to know why.
Henry B.Hotz wrote:
> I don't know if I get a vote or not, but I would hope that Heimdal
> continues to support being a stand-alone package, with *optional*
> integration hooks.
> On Apr 3, 2005, at 12:34 PM, Chris Hamilton wrote:
>> Hello, I was working on a Linux distribution implementing Heimdal.
>> While I was looking at features to implement I came across the old
>> cracklib patch. After porting that to cracklib 2.8(a Redhatized and
>> maintained cracklib), I realized that it was kind of silly to make
>> two cracklib libraries. Anyway, I have rewritten Linux-PAM's
>> pam_cracklib (complete with krb5.conf fetching for the various
>> hardening flags and a location for an old passwords file). I need
>> to test it more than just compiling, but is this useful to anyone?
>> Now that Heimdal is heavily working to integrate with SAMBA, is
>> Heimdal the best place to be checking passwords for enterprises?
>> Chris Hamilton
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or firstname.lastname@example.org