[16204] in Kerberos_V5_Development
Re: Pasword quality pluggable interface project review
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon Aug 30 16:01:03 2010
Date: Mon, 30 Aug 2010 14:59:29 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <20100830195929.GU1198@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87y6bnlw73.fsf@windlord.stanford.edu>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Aug 30, 2010 at 12:47:12PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams@oracle.com> writes:
>
> > Also, consider how PAM handles password change and password quality
> > checks. PAM has a single entry point for both, with a flag to indicate
> > that this is a "preliminary check, don't change the password". PAM
> > calls all the modules to do a prelim check first, then it calls them
> > again without that flag.
>
> This is a bad API that causes difficulty and confusion in implementing PAM
> modules, as revealed by the fact that many password change PAM modules get
> this wrong. This should have been two separate calls in PAM, one to check
> the password and one to change it, and we should certainly not duplicate
> this mistake elsewhere.
I agree that the style of the API is confusing. There should have been
two entry points instead of one with a flag to distinguish the two modes
of operation.
However, the fact that PAM first checks that the change is OK, then does
it, is a good thing given that there's no way to rollback password
changes.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
