login policy plugins? (was Re: Lists of LDAP requirements
Nicolas Williams
Nicolas.Williams at sun.com
Thu Jul 20 07:54:44 EDT 2006
On Wed, Jul 19, 2006 at 11:41:06PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
>
> > Good point. The proposed password/key set/change protocol allows for
> > extensible password quality policies. It'd be nice if MIT krb5
> > supported that.
>
> For password quality, what sort of support are you looking for other than
> support for a user-supplied password-checking plugin? (I say this as a
> Kerberos administrator for a site that cannot use anything less; the only
> language suitable for encoding our password quality policy is a full-blown
> programming language that can call out to such libraries as cracklib.
> Once you have that, is there really anything lesser that's of much use?)
Exactly that.
If you read the [currently expired; I'll re-submit rsn] the KRB WG
password/key change/set protocol Internet-Draft you'll see that there's
localization considerations.
Password quality plug-ins need at least:
- language tag inputs (what languages does the user claim to speak)
- new password input (optional; the user may want one generated for
them)
- new password output (optional)
- suggested new password output (optional)
- error bitmask for "standard" password policies that user passwords
fail (this is something MS wants, for client-side localization)
- error strings that are localized to one of the user's languages
Nico
--
More information about the krbdev
mailing list