[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Password change?

Václav Hůla <ax@natur.cuni.cz> writes:

> Hello,
>   I'd like to ask if there's a simple way to ensure, when changing password 
> with kpasswd, that the old and new passswords are really different? 
> Currently I'm able to reuse my password immediately.

You should find that you can do that only once.  The test is that the
set of keys the password generates are different -- the password isn't
stored anywhere.  The password-change request could generate a
different set of keys in various circumstances, e.g. if you loaded
just arcfour keys from Windows initially, or if you moved from the 0.6
to the 0.7 KDC with the default key types, so that you get new AES
keys.  Presumably there could be an option to check whether the new
key set overlaps the old one, but as far as I know, this isn't
configurable, and you could get round it with successive changes.

By the way, there's an outstanding bug that reports an internal error
from kpasswdd when it does refuse `password reuse'.

> And it seems to me that the whole [password_quality] section applies
> not to password server, but the client.

No, it runs on the server.  The interface for programming the checks
doesn't give you access to the key set for the principal, though, just
the new password (which you _could_ store between changes).  The
ipropd log gives you access to key history where you could check for
re-use, but probably not in a very convenient form.