Pasword quality pluggable interface project review

Nicolas Williams Nicolas.Williams at
Mon Aug 30 15:59:29 EDT 2010

On Mon, Aug 30, 2010 at 12:47:12PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at> writes:
> > Also, consider how PAM handles password change and password quality
> > checks.  PAM has a single entry point for both, with a flag to indicate
> > that this is a "preliminary check, don't change the password".  PAM
> > calls all the modules to do a prelim check first, then it calls them
> > again without that flag.
> This is a bad API that causes difficulty and confusion in implementing PAM
> modules, as revealed by the fact that many password change PAM modules get
> this wrong.  This should have been two separate calls in PAM, one to check
> the password and one to change it, and we should certainly not duplicate
> this mistake elsewhere.

I agree that the style of the API is confusing.  There should have been
two entry points instead of one with a flag to distinguish the two modes
of operation.

However, the fact that PAM first checks that the change is OK, then does
it, is a good thing given that there's no way to rollback password


More information about the krbdev mailing list