Pasword quality pluggable interface project review
Greg Hudson
ghudson at MIT.EDU
Mon Aug 30 15:46:49 EDT 2010
On Mon, 2010-08-30 at 14:59 -0400, Nicolas Williams wrote:
> Why would the same approach, minus the complex pam.conf control options
> (all modules would be "required"), not work here?
Password sync in Kerberos is about a little more than just passwords.
If you look at the Heimdal sync interface in krb5-strength, it
effectively has methods for:
* change password pre-commit
* change password post-commit
* create principal pre-commit
* create principal post-commit
* modify principal pre-commit
* modify principal post-commit
where the third one allows synchronization of things like account
lockout or disablement.
Yes, you can model password quality as a special case of password sync,
if password sync has pre-commit hooks--password quality is sort of like
syncing to a quality-controlled garbage bin. The cost is that password
quality modules have to ignore more crud that they're not interested in.
In particular, take heed of Russ's remarks here:
http://mailman.mit.edu/pipermail/krbdev/2010-August/009379.html
where he advocated for minimizing the interconnections between password
quality and kadmin/KDB at this stage.
More information about the krbdev
mailing list