Password set/change error reporting
Nicolas.Williams at sun.com
Fri Apr 4 14:28:35 EST 2003
On Fri, Apr 04, 2003 at 12:20:46PM -0600, Paul W. Nelson wrote:
> Just would like to get some feedback on this idea to see if it is
> Currently, the version 2 draft proposes a single error code to handle policy
> > KRB5_KPASSWD_POLICY_REJECT 8 new cleartext password fails
> > policy; the result string
> > should include a text
> > message to be presented to
> > the user.
> Returning a string (current method) is OK, but makes it very difficult for
> writing internationalized/localized software. The person changing the
> password might be using Japanese as their language, and the kdc/kpasswd
> server might be serving a multi-lingual community.
Please see the early draft I posted to the IETF KRB WG list on March
17th, 2003. I've tried to make sure it is properly internationalized.
> I would like to see the version 2 draft specify extended error codes that
> enumerate common reasons for a password change failing. Here are some of
> the codes I would like to see:
> a) Password too short
> b) Password not complex enough
> c) Password cant be changed yet (too soon)
> d) Password was used previously
No, none of these is needed.
New password quality checks can be invented, but since these are
passwords it's always a user that must be told what was wrong with the
password, so what we need is for the server to tell, via a [UTF-8]
string, the user, in a language spoken (er, read) by the user, what was
wrong with the user's new password.
> BTW: What is the status of this draft? It looks like it has expired.
It's expired and I'm now the editor for it. I only have to fix
formatting and fill in a bit more text and check to make sure that the
text is fully consistent.
More information about the krbdev