Pasword quality pluggable interface project review
Greg Hudson
ghudson at MIT.EDU
Mon Aug 30 11:54:01 EDT 2010
On Mon, 2010-08-30 at 11:38 -0400, Marcus Watts wrote:
> By "new plugin model" do you mean krb5int_open_plugin_dirs /
> krb5int_get_plugin_dir_data or something else? If you mean these
> functions then it's already done. If it's something else, then
> I guess it depends on how closely the new functionality matches these.
http://k5wiki.kerberos.org/wiki/Projects/Plugin_support_improvements
What we arrived at doesn't have the properties you discussed about the
PAM framework:
* Module registrations aren't parameterized (but modules can read
associations from the profile, so they don't require separate config
files).
* Module registrations aren't ordered.
* Registration of built-in modules is automatic, although built-in
modules can be disabled.
* Modules cannot be multiply registered; the end result of module
registration is a mapping of name to (unique) module, even for
one-to-many interfaces (such as password quality) where module names are
unimportant.
While we still have the technical freedom to replace this model with
something more PAM-like, I'm not currently convinced that it's
desirable.
More information about the krbdev
mailing list