Pasword quality pluggable interface project review

Greg Hudson ghudson at MIT.EDU
Mon Aug 30 11:54:01 EDT 2010

On Mon, 2010-08-30 at 11:38 -0400, Marcus Watts wrote:
> By "new plugin model" do you mean krb5int_open_plugin_dirs /
> krb5int_get_plugin_dir_data or something else?  If you mean these
> functions then it's already done.  If it's something else, then
> I guess it depends on how closely the new functionality matches these.

What we arrived at doesn't have the properties you discussed about the
PAM framework:

* Module registrations aren't parameterized (but modules can read
associations from the profile, so they don't require separate config

* Module registrations aren't ordered.

* Registration of built-in modules is automatic, although built-in
modules can be disabled.

* Modules cannot be multiply registered; the end result of module
registration is a mapping of name to (unique) module, even for
one-to-many interfaces (such as password quality) where module names are

While we still have the technical freedom to replace this model with
something more PAM-like, I'm not currently convinced that it's

More information about the krbdev mailing list