Re: cracklib password check

[Dave Love <d.love@dl.ac.uk>]

"Henry B.Hotz" <hbhotz@oxy.edu> writes:

> Heimdal already has a configurable loadable module for password
> checking.

Sure.

> (That's how cracklib() gets pulled in.)

[As far as I remember, it has to be a modified cracklib for some
reason, which is a pain, and means it can't readily go into OS
distributions.]

> Why not just write a Heimdal module that calls PAM if that's the way
> you want to do it?  

Of course that's what you'd do if you didn't want to modify the source
or try to contribute the support, though I vaguely remember spotting a
catch.  However, if the system has PAM, it should just be available by
default; then you can just drop a heimdal-kdc into pam.conf.d as you
want.  It's arguable what should happen with the existing mechanism in
that case.

Anyway, PAM support is really needed elsewhere -- at least in the
login program.  Otherwise there's a serious problem with access
control in an SSO system running a properly-Kerberized telnetd, at
least.  Obviously there should be support for similar systems to PAM
where appropriate, but I'm only familiar with OSF's moribund SIA.

I'm surprised if this would be controversial if someone contributed
clean code.  Sorry I can't.