Using cracklib with the KDC

Ken Hornstein kenh at
Tue Oct 14 13:18:58 EDT 2003

>In my case the goal is institutional enforcement of some QA on 
>passwords.  That means it has to be done at the server end, like 
>Heimdal does it.  I suppose that I have the option of looking through 
>the source code and implementing it myself.  I was just hoping it was 
>easier than that.  (Consider this a feature request.)

Like Sam already said, the suggestion was to implement this on the
server side.  But if you're interested, I already have code that does
this; contact me privately for a copy if you're interested.

(Personally, I think the idea of using libpam for password quality
checking is ... well, I can only say that even if the MIT code shipped
with this suppot, and I was using a system on my KDC that included
libpam, I'd _still_ go through the trouble of porting the cracklib over
and use that.  I'm not saying that PAM is bad, I just don't think it's
the right tool for the job here).


More information about the Kerberos mailing list