Pasword quality pluggable interface project review
rra at stanford.edu
Mon Aug 30 15:47:12 EDT 2010
Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> Also, consider how PAM handles password change and password quality
> checks. PAM has a single entry point for both, with a flag to indicate
> that this is a "preliminary check, don't change the password". PAM
> calls all the modules to do a prelim check first, then it calls them
> again without that flag.
This is a bad API that causes difficulty and confusion in implementing PAM
modules, as revealed by the fact that many password change PAM modules get
this wrong. This should have been two separate calls in PAM, one to check
the password and one to change it, and we should certainly not duplicate
this mistake elsewhere.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev