Pasword quality pluggable interface project review

Russ Allbery rra at
Mon Aug 30 15:47:12 EDT 2010

Nicolas Williams <Nicolas.Williams at> writes:

> Also, consider how PAM handles password change and password quality
> checks.  PAM has a single entry point for both, with a flag to indicate
> that this is a "preliminary check, don't change the password".  PAM
> calls all the modules to do a prelim check first, then it calls them
> again without that flag.

This is a bad API that causes difficulty and confusion in implementing PAM
modules, as revealed by the fact that many password change PAM modules get
this wrong.  This should have been two separate calls in PAM, one to check
the password and one to change it, and we should certainly not duplicate
this mistake elsewhere.

Russ Allbery (rra at             <>

More information about the krbdev mailing list