Re: cracklib password check

[Dave Love <d.love@dl.ac.uk>]

Chris Hamilton <chris@ambigc.com> writes:

> To me it appears that no one is/has really considering checking
> password strength at the KDC, so I would like to know why.

I guess because it's not so easy.

If you want to enforce policy, you have to do it on the server if
people can run kpasswd or Windows, for instance.

It seems to me it would be useful to have PAM support in the _server_.
Then you can easily install existing checking module(s) or write a new
one to the PAM interface which would be reusable.  (I'd expect a
module to keep track of the history itself with db or similar, but I
haven't checked what's available.)  Assuming standard configurey for
the build, you wouldn't lose anything on systems without PAM, and you
might have a port anyway.

PAM (especially some of the modules) may be somewhat grotty, but it's
widespread and basically works.  It seems worth levering off it, and
I'd have worked on this if I was allowed to.