[16201] in Kerberos_V5_Development
Re: Pasword quality pluggable interface project review
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Aug 30 15:46:53 2010
From: Greg Hudson <ghudson@mit.edu>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
In-Reply-To: <20100830185904.GS1198@oracle.com>
Date: Mon, 30 Aug 2010 15:46:49 -0400
Message-ID: <1283197609.9882.218.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>, "mdw@umich.edu" <mdw@umich.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, 2010-08-30 at 14:59 -0400, Nicolas Williams wrote:
> Why would the same approach, minus the complex pam.conf control options
> (all modules would be "required"), not work here?
Password sync in Kerberos is about a little more than just passwords.
If you look at the Heimdal sync interface in krb5-strength, it
effectively has methods for:
* change password pre-commit
* change password post-commit
* create principal pre-commit
* create principal post-commit
* modify principal pre-commit
* modify principal post-commit
where the third one allows synchronization of things like account
lockout or disablement.
Yes, you can model password quality as a special case of password sync,
if password sync has pre-commit hooks--password quality is sort of like
syncing to a quality-controlled garbage bin. The cost is that password
quality modules have to ignore more crud that they're not interested in.
In particular, take heed of Russ's remarks here:
http://mailman.mit.edu/pipermail/krbdev/2010-August/009379.html
where he advocated for minimizing the interconnections between password
quality and kadmin/KDB at this stage.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
