disable KADM5_PASS_REUSE error case?
Chris Hecker
checker at d6.com
Thu Jun 20 12:52:09 EDT 2013
> We could introduce some kind of opt-in global configuration for the
> more consistent meaning; I'm just not sure if it's worth the code
> and documentation footprint.
Yeah, seems questionable. Bummer about the 0 being 1, though.
Chris
On 2013-06-19 21:25, Greg Hudson wrote:
> On 06/19/2013 05:15 PM, Chris Hecker wrote:
>> Is there a way to disable the error case for chpass to the same
>> password? If somebody thinks they've forgotten their password, and I
>> send them a change password link and they type the old password in,
>> that's fine with me. I don't see a way to specify this in the policy,
>> and the mit kadm5 code seems to always do the check, in my cursory
>> examination?
>
> This is a tough call. There is a nonlinearity in the policy code--a
> policy -history value of 0 means the same thing as 1--which is most
> likely a historical bug. Obviously it would be better if 0 had the
> distinct meaning of "no password reuse checking at all".
>
> However, changing it now could reduce the security of existing
> deployments, which we try hard to avoid. In particular, sites which
> enforce a minimum and maximum password lifetime, but have neglected to
> set the -history value to 1 or more, would start allowing users to
> change their password back to the same value again, defeating the point
> of the lifetime restrictions.
>
> We could introduce some kind of opt-in global configuration for the more
> consistent meaning; I'm just not sure if it's worth the code and
> documentation footprint.
>
> .
>
More information about the Kerberos
mailing list