disable KADM5_PASS_REUSE error case?

[Tom Yu]

Greg Hudson <ghudson at MIT.EDU> writes:

> On 06/19/2013 05:15 PM, Chris Hecker wrote:
>> Is there a way to disable the error case for chpass to the same 
>> password?  If somebody thinks they've forgotten their password, and I 
>> send them a change password link and they type the old password in, 
>> that's fine with me.  I don't see a way to specify this in the policy, 
>> and the mit kadm5 code seems to always do the check, in my cursory 
>> examination?
>
> This is a tough call.  There is a nonlinearity in the policy code--a
> policy -history value of 0 means the same thing as 1--which is most
> likely a historical bug.  Obviously it would be better if 0 had the
> distinct meaning of "no password reuse checking at all".

I think deleting the policy from the principal
(using "modprinc -clearpolicy") will remove all password policy
checks, including the unconditional check for repeating the most
recent password.  I'm not sure whether this is suitable for your
situation, because it's best used as a temporary one-shot measure, and
has other disadvantages.

> However, changing it now could reduce the security of existing
> deployments, which we try hard to avoid.  In particular, sites which
> enforce a minimum and maximum password lifetime, but have neglected to
> set the -history value to 1 or more, would start allowing users to
> change their password back to the same value again, defeating the point
> of the lifetime restrictions.
>
> We could introduce some kind of opt-in global configuration for the more
> consistent meaning; I'm just not sure if it's worth the code and
> documentation footprint.