login policy plugins? (was Re: Lists of LDAP requirements

Nicolas Williams Nicolas.Williams at sun.com
Thu Jul 20 07:54:44 EDT 2006

On Wed, Jul 19, 2006 at 11:41:06PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
> > Good point.  The proposed password/key set/change protocol allows for
> > extensible password quality policies.  It'd be nice if MIT krb5
> > supported that.
> For password quality, what sort of support are you looking for other than
> support for a user-supplied password-checking plugin?  (I say this as a
> Kerberos administrator for a site that cannot use anything less; the only
> language suitable for encoding our password quality policy is a full-blown
> programming language that can call out to such libraries as cracklib.
> Once you have that, is there really anything lesser that's of much use?)

Exactly that.

If you read the [currently expired; I'll re-submit rsn] the KRB WG
password/key change/set protocol Internet-Draft you'll see that there's
localization considerations.

Password quality plug-ins need at least:

 - language tag inputs (what languages does the user claim to speak)

 - new password input (optional; the user may want one generated for

 - new password output (optional)

 - suggested new password output (optional)

 - error bitmask for "standard" password policies that user passwords
   fail (this is something MS wants, for client-side localization)

 - error strings that are localized to one of the user's languages


More information about the krbdev mailing list