[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cracklib password check
Dave Love wrote:
> "Henry B.Hotz" <hbhotz@oxy.edu> writes:
>
>
>>Heimdal already has a configurable loadable module for password
>>checking.
>
>
> Sure.
>
>
>>(That's how cracklib() gets pulled in.)
>
>
> [As far as I remember, it has to be a modified cracklib for some
> reason, which is a pain, and means it can't readily go into OS
> distributions.]
>
>
>>Why not just write a Heimdal module that calls PAM if that's the way
>>you want to do it?
>
>
> Of course that's what you'd do if you didn't want to modify the source
> or try to contribute the support, though I vaguely remember spotting a
> catch. However, if the system has PAM, it should just be available by
> default; then you can just drop a heimdal-kdc into pam.conf.d as you
> want. It's arguable what should happen with the existing mechanism in
> that case.
>
> Anyway, PAM support is really needed elsewhere -- at least in the
> login program. Otherwise there's a serious problem with access
> control in an SSO system running a properly-Kerberized telnetd, at
> least. Obviously there should be support for similar systems to PAM
> where appropriate, but I'm only familiar with OSF's moribund SIA.
>
> I'm surprised if this would be controversial if someone contributed
> clean code. Sorry I can't.
>
Um, I am not sure what you mean here.
Do you mean something like pam_krb5 as (Heimdal being an authenticator
mechanism/kinit starter)? That already exists at least for Heimdal in
Linux PAM and should be somewhat portable if not elsewhere.
Do you mean making Heimdal delegate to PAM like an smtp or login service
would(authentication and/or just checking passwords)? I am not sure that
is a good idea either way. Heimdal should be the ultimate authority on
principals. It is a bit much just to plug it in for password checking,
but I think it could be done with a wrapper.
As for 'k'telnet, well I guess it would be up to its implementation but
I don't see why it couldn't go straight to kerberos and optionally fall
back to pam for authentication. Things like the session and other acls
could be put in through pam either way. But, that is not specific to pam
and heimdal, just to a robust ktelnet service. That is how openssh is
supposed to work with kerberos and pam together.