Pasword quality pluggable interface project review

Nicolas Williams Nicolas.Williams at
Mon Aug 30 14:59:05 EDT 2010

On Mon, Aug 30, 2010 at 12:26:50PM -0500, Nicolas Williams wrote:
> On Mon, Aug 30, 2010 at 12:57:18PM -0400, Greg Hudson wrote:
> > We're planning to create a separate password synchronization interface
> > modeled after the one in krb5-sync.
> > 
> > Although naively, password quality and password sync feel like the same
> > kind of hook, once you get to the detail level they are rather
> > different.  (Also, the easiest way of ensuring that password quality
> > checks happen before password sync checks is to make them separate
> > interfaces.)
> They're quite similar.  At first glance I can only think of two
> differences:

Also, consider how PAM handles password change and password quality
checks.  PAM has a single entry point for both, with a flag to indicate
that this is a "preliminary check, don't change the password".  PAM
calls all the modules to do a prelim check first, then it calls them
again without that flag.

PAM modules can do password quality checks and _prepare_ to change the
password, during the preliminary check.  If a module needs to talk to a
directory via LDAP, say, the module would open the LDAP connection
during the prelim check, so that failure to open the LDAP connection can
cause failure to change the password _before_ any other modules change
the password elsewhere.  This way the window for failures that leave
passwords out of sync is narrowed quite a bit (e.g., transient network
failures during the second phase of the password sync).

There is no password change rollback feature in PAM, and I suspect that
in general password change rollback facilities don't exist (there isn't
one for Kerberos change protocols, there isn't one for LDAP, ...) and
likely won't exist.

Why would the same approach, minus the complex pam.conf control options
(all modules would be "required"), not work here?


More information about the krbdev mailing list