Pasword quality pluggable interface project review

Greg Hudson ghudson at MIT.EDU
Mon Aug 30 15:46:49 EDT 2010

On Mon, 2010-08-30 at 14:59 -0400, Nicolas Williams wrote:
> Why would the same approach, minus the complex pam.conf control options
> (all modules would be "required"), not work here?

Password sync in Kerberos is about a little more than just passwords.
If you look at the Heimdal sync interface in krb5-strength, it
effectively has methods for:

  * change password pre-commit
  * change password post-commit
  * create principal pre-commit
  * create principal post-commit
  * modify principal pre-commit
  * modify principal post-commit

where the third one allows synchronization of things like account
lockout or disablement.

Yes, you can model password quality as a special case of password sync,
if password sync has pre-commit hooks--password quality is sort of like
syncing to a quality-controlled garbage bin.  The cost is that password
quality modules have to ignore more crud that they're not interested in.
In particular, take heed of Russ's remarks here:

where he advocated for minimizing the interconnections between password
quality and kadmin/KDB at this stage.

More information about the krbdev mailing list