Pasword quality pluggable interface project review

Nicolas Williams Nicolas.Williams at
Mon Aug 30 00:24:34 EDT 2010

On Sun, Aug 29, 2010 at 12:16:59PM -0400, ghudson at wrote:
> I uncovered one subtle issue during implementation: if a module's
> check method decides it doesn't like a new password, what error code
> should it return?

This is not at all a subtle issue.

See draft-ietf-krb-wg-kerberos-set-passwd-09 and discussions of it at

There is no way to have a code pre-assigned for every possible
sub-policy.  All the well-known types of password quality sub-policies
can and should have a code assigned.  For all others we should either
not allow them, have a single generic code, or have a way for the server
to send back localized text explaining the policy.  For the last one
there's a need to pass a set of languages from the client to the server
and the password quality check plugins.

Finally, you'll find that using existing APIs, localizing to random
languages requires changing the entire process' locale!

Fun, eh?


More information about the krbdev mailing list