Using cracklib with the KDC

Henry B. Hotz hotz at
Mon Oct 13 17:57:05 EDT 2003

At 12:00 PM -0400 10/12/03, Sam Hartman wrote:
>  >>>>> "Henry" == Henry B Hotz <hotz at> writes:
>     Henry> Does the MIT code have a user hook in the change password
>     Henry> function where I can link in cracklib? 
>No.  Nicolas Williams from Sun has proposed that the right way to do
>this is for the KDC to use libpam on systems that have it and to use
>the password stack to run modules like cracklib.  This seems like an
>interesting approach to try, but we have not yet implemented it.

I agree that doing the check in PAM on the client side is 
interesting, but it fulfills a different goal.

In my case the goal is institutional enforcement of some QA on 
passwords.  That means it has to be done at the server end, like 
Heimdal does it.  I suppose that I have the option of looking through 
the source code and implementing it myself.  I was just hoping it was 
easier than that.  (Consider this a feature request.)
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the Kerberos mailing list