Pasword quality pluggable interface project review
Russ Allbery
rra at stanford.edu
Sun Aug 29 22:36:04 EDT 2010
ghudson at MIT.EDU writes:
> * Add a string result argument to the check method (to be set to
> NULL if the password passes quality checks), in the hopes that a
> module-generated explanation could be conveyed to the user. No
> idea how this would ever be localized, though. Also, the password
> change protocol doesn't appear to have a way to communicate such
> errors (looking at our implementation, anyway), so such strings
> would only show up in the kadmind log.
The password change protocol definitely supports conveying password errors
all the way back to the client. Here's an example with three different
string errors returned by the krb5-strength implementation (admittedly
with Heimdal, but that doesn't change the protocol issue).
windlord:~> kpasswd thoron
thoron at stanford.edu's Password:
New password for thoron at stanford.edu:
Verifying - New password for thoron at stanford.edu:
Soft error : External password quality program failed: it's WAY too short
windlord:~> kpasswd thoron
thoron at stanford.edu's Password:
New password for thoron at stanford.edu:
Verifying - New password for thoron at stanford.edu:
Soft error : External password quality program failed: it is too short
windlord:~> kpasswd thoron
thoron at stanford.edu's Password:
New password for thoron at stanford.edu:
Verifying - New password for thoron at stanford.edu:
Soft error : External password quality program failed: it does not contain enough DIFFERENT characters
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list