[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cracklib password check



Dave Love wrote:
> Chris Hamilton <chris@ambigc.com> writes:
> 
> 
>>To me it appears that no one is/has really considering checking
>>password strength at the KDC, so I would like to know why.
> 
> 
> I guess because it's not so easy.
> 
> If you want to enforce policy, you have to do it on the server if
> people can run kpasswd or Windows, for instance.
> 
> It seems to me it would be useful to have PAM support in the _server_.
> Then you can easily install existing checking module(s) or write a new
> one to the PAM interface which would be reusable.  (I'd expect a
> module to keep track of the history itself with db or similar, but I
> haven't checked what's available.)  Assuming standard configurey for
> the build, you wouldn't lose anything on systems without PAM, and you
> might have a port anyway.
> 
> PAM (especially some of the modules) may be somewhat grotty, but it's
> widespread and basically works.  It seems worth levering off it, and
> I'd have worked on this if I was allowed to.
> 

Well most of the structure of PAM is setup to do 'things' when account 
events occur.  PAM is good at what it does, but most of what it does is 
direct user to server stuff - ie. access control.  In this case we are 
only concerned with password checking, PAM does everything including 
that.  Its API is kind of strange for our purposes(libraries get 
executed according to the stacking config file patterns and take command 
line and PAM helper functions in and then directly talk to whatever 
requested the event).

That is why I grabbed the cracklib module from it, it actually does most 
password checks I know of.  It is simple and works, but Heimdal can't 
use the old password db yet as it doesn't pass them.  I will try to use 
BDB for storing (principal, password, timestamp) I guess and figure out 
how to optionally pass old passwords(make it password_quality api 
version 2?).   I'll ignore SAMBA integration issues for now.  Does 
anyone have any other ideas?

Thanks,
Chris Hamilton