[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cracklib password check
Dave Love wrote:
> Chris Hamilton <firstname.lastname@example.org> writes:
>>To me it appears that no one is/has really considering checking
>>password strength at the KDC, so I would like to know why.
> I guess because it's not so easy.
> If you want to enforce policy, you have to do it on the server if
> people can run kpasswd or Windows, for instance.
> It seems to me it would be useful to have PAM support in the _server_.
> Then you can easily install existing checking module(s) or write a new
> one to the PAM interface which would be reusable. (I'd expect a
> module to keep track of the history itself with db or similar, but I
> haven't checked what's available.) Assuming standard configurey for
> the build, you wouldn't lose anything on systems without PAM, and you
> might have a port anyway.
> PAM (especially some of the modules) may be somewhat grotty, but it's
> widespread and basically works. It seems worth levering off it, and
> I'd have worked on this if I was allowed to.
Well most of the structure of PAM is setup to do 'things' when account
events occur. PAM is good at what it does, but most of what it does is
direct user to server stuff - ie. access control. In this case we are
only concerned with password checking, PAM does everything including
that. Its API is kind of strange for our purposes(libraries get
executed according to the stacking config file patterns and take command
line and PAM helper functions in and then directly talk to whatever
requested the event).
That is why I grabbed the cracklib module from it, it actually does most
password checks I know of. It is simple and works, but Heimdal can't
use the old password db yet as it doesn't pass them. I will try to use
BDB for storing (principal, password, timestamp) I guess and figure out
how to optionally pass old passwords(make it password_quality api
version 2?). I'll ignore SAMBA integration issues for now. Does
anyone have any other ideas?