[16202] in Kerberos_V5_Development
Re: Pasword quality pluggable interface project review
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Aug 30 15:47:17 2010
From: Russ Allbery <rra@stanford.edu>
To: "krbdev\@mit.edu" <krbdev@mit.edu>
In-Reply-To: <20100830185904.GS1198@oracle.com> (Nicolas Williams's message of
"Mon, 30 Aug 2010 13:59:05 -0500")
Date: Mon, 30 Aug 2010 12:47:12 -0700
Message-ID: <87y6bnlw73.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Nicolas Williams <Nicolas.Williams@oracle.com> writes:
> Also, consider how PAM handles password change and password quality
> checks. PAM has a single entry point for both, with a flag to indicate
> that this is a "preliminary check, don't change the password". PAM
> calls all the modules to do a prelim check first, then it calls them
> again without that flag.
This is a bad API that causes difficulty and confusion in implementing PAM
modules, as revealed by the fact that many password change PAM modules get
this wrong. This should have been two separate calls in PAM, one to check
the password and one to change it, and we should certainly not duplicate
this mistake elsewhere.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
