Using cracklib with the KDC
Henry B. Hotz
hotz at jpl.nasa.gov
Mon Oct 13 17:57:05 EDT 2003
At 12:00 PM -0400 10/12/03, Sam Hartman wrote:
> >>>>> "Henry" == Henry B Hotz <hotz at jpl.nasa.gov> writes:
>
> Henry> Does the MIT code have a user hook in the change password
> Henry> function where I can link in cracklib?
>
>No. Nicolas Williams from Sun has proposed that the right way to do
>this is for the KDC to use libpam on systems that have it and to use
>the password stack to run modules like cracklib. This seems like an
>interesting approach to try, but we have not yet implemented it.
I agree that doing the check in PAM on the client side is
interesting, but it fulfills a different goal.
In my case the goal is institutional enforcement of some QA on
passwords. That means it has to be done at the server end, like
Heimdal does it. I suppose that I have the option of looking through
the source code and implementing it myself. I was just hoping it was
easier than that. (Consider this a feature request.)
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Kerberos
mailing list