[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cracklib password check



On Apr 4, 2005, at 11:49 PM, Chris Hamilton wrote:

> Well I am curious if this work is of some real use.  If there is a  
> better a place to run checks instead of directly against the KDC, then  
> I'll not bother.  Most Unix-likes have PAM, so I figure that is where  
> most people would place checks(otherwise, why wouldn't someone have  
> done this earlier?) in that environment.

Linux IMO over-uses PAM, but a password management entry is standard.   
The BSD's support is spotty, and may not extend to password management.  
  MacOS "supports" PAM, but only for the BSD components, which excludes  
most (all?) password management functions.

All of the above only applies to the client side though.

If you want to follow the Linux model and invent a server-side password  
management chain I have no objection as long as it's usable on all the  
non-Linux Unix's:  MacOS, Solaris, and *BSD in particular.  I think  
you're asking for porting issues, myself.

> However, Kerberos in a mixed Unix/Windows environment might need a  
> centralized checking system.  So, I am curious if I am not working on  
> something anyone needs.
>
> There's problems for both which lead me to wonder:
>
> On Heimdal stand-alone -  The current api's for password checking in  
> Heimdal do not pass the last password which prevents comparing it  
> against the new.  Heimdal really should send back the last password(at  
> least in kpasswdd), but I'll have to see what is involved in that.

What's involved is modifying the database schema to store old passwords  
so you have something to compare against.  The sample password checking  
code just piles them all into a big flat file, which doesn't scale real  
well.  ;-(

> On the SAMBA integration - smbk5pwd appears on glance to just get  
> enough from Heimdal to apply password changes directly in ldap.  If  
> so, then it would not do password checks when changes come from SAMBA.  
>  Would it be possible for smbk5pwd to even notify SAMBA of bad  
> passwords if it did?
>
> To me it appears that no one is/has really considering checking  
> password strength at the KDC, so I would like to know why.

See above.  If you're volunteering to write code and will listen to  
requirements:  I need a minimum of x old passwords retained, and I need  
all passwords used over the last y time retained regardless of how many  
there are.  ;-)

> Henry B.Hotz wrote:
>
>> I don't know if I get a vote or not, but I would hope that Heimdal   
>> continues to support being a stand-alone package, with *optional*   
>> integration hooks.
>>
>> On Apr 3, 2005, at 12:34 PM, Chris Hamilton wrote:
>>
>>> Hello,  I was working on a Linux distribution implementing Heimdal.   
>>>  While I was looking at features to implement I came across the old   
>>> cracklib patch.  After porting that to cracklib 2.8(a Redhatized and  
>>>  maintained cracklib), I realized that it was kind of silly to make  
>>> two  cracklib libraries.  Anyway, I have rewritten Linux-PAM's  
>>> pam_cracklib  (complete with krb5.conf fetching for the various  
>>> hardening flags and  a location for an old passwords file).   I need  
>>> to test it more than  just compiling, but is this useful to anyone?   
>>> Now that Heimdal is  heavily working to integrate with SAMBA, is  
>>> Heimdal the best place to  be checking passwords for enterprises?
>>>
>>>
>>> Thanks,
>>> Chris Hamilton
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu