[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why Samba didn't use pam to hook into cracklib
Andrew Bartlett wrote:
> Finally, I should note my views on where this password quality check
> should be peformed. In an ideal world, I would perform this password
> quality check in the LDAP server too which Samba and Heimdal both read
> their password databases from. The password server should obtain a
> plaintext password (via for example the OpenLDAP password setup ExOP),
> and it should return a status regarding the quality of the password, if
> it were too poor. Preferably this would include a text error string,
> for communication to the client if supported by the relevant protocols.
> (And then a good password would be set in all encryption types and Samba
> hashes, into the LDAP DB).
Funny that you should say that, this is exactly what HP is doing. The
password policy overlay in OpenLDAP has a hook for dynamically loading a
password quality checker and the HP folks use this hook to run cracklib
on the incoming passwords.
> However, in a world where we don't yet do this, (Samba doesn't pass back
> specific errors from ldap very well, heimdal doesn't use the password
> set API, and we should cover the hdb-db), I would suggest cracklib be
> integrated into the password check API of heimdal as a child process, so
> that the two ways that a password may be set in my current directory
> setup are covered with some kind of check. On my unix workstations,
> I'll probably also enforce local pam_cracklib, as this can get previous
> passwords, as well as return decent error strings.
I guess it's worth considering for those sites that use a non-LDAP hdb
backing store. For sites that use the Heimdal KDC backed by LDAP there's
really no reason to do password changes through anything besides LDAP.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support