disable KADM5_PASS_REUSE error case?

Greg Hudson ghudson at MIT.EDU
Thu Jun 20 00:25:31 EDT 2013


On 06/19/2013 05:15 PM, Chris Hecker wrote:
> Is there a way to disable the error case for chpass to the same 
> password?  If somebody thinks they've forgotten their password, and I 
> send them a change password link and they type the old password in, 
> that's fine with me.  I don't see a way to specify this in the policy, 
> and the mit kadm5 code seems to always do the check, in my cursory 
> examination?

This is a tough call.  There is a nonlinearity in the policy code--a
policy -history value of 0 means the same thing as 1--which is most
likely a historical bug.  Obviously it would be better if 0 had the
distinct meaning of "no password reuse checking at all".

However, changing it now could reduce the security of existing
deployments, which we try hard to avoid.  In particular, sites which
enforce a minimum and maximum password lifetime, but have neglected to
set the -history value to 1 or more, would start allowing users to
change their password back to the same value again, defeating the point
of the lifetime restrictions.

We could introduce some kind of opt-in global configuration for the more
consistent meaning; I'm just not sure if it's worth the code and
documentation footprint.



More information about the Kerberos mailing list