[16191] in Kerberos_V5_Development
Re: Pasword quality pluggable interface project review
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon Aug 30 00:25:41 2010
Date: Sun, 29 Aug 2010 23:24:34 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: ghudson@mit.edu
Message-ID: <20100830042433.GO1198@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <201008291616.o7TGGxum009115@outgoing.mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Sun, Aug 29, 2010 at 12:16:59PM -0400, ghudson@mit.edu wrote:
> I uncovered one subtle issue during implementation: if a module's
> check method decides it doesn't like a new password, what error code
> should it return?
This is not at all a subtle issue.
See draft-ietf-krb-wg-kerberos-set-passwd-09 and discussions of it at
KRB-WG.
There is no way to have a code pre-assigned for every possible
sub-policy. All the well-known types of password quality sub-policies
can and should have a code assigned. For all others we should either
not allow them, have a single generic code, or have a way for the server
to send back localized text explaining the policy. For the last one
there's a need to pass a set of languages from the client to the server
and the password quality check plugins.
Finally, you'll find that using existing APIs, localizing to random
languages requires changing the entire process' locale!
Fun, eh?
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
