[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cracklib password check



Dave Love wrote:
> "Henry B.Hotz" <hbhotz@oxy.edu> writes:
> 
> 
>>Heimdal already has a configurable loadable module for password
>>checking.
> 
> 
> Sure.
> 
> 
>>(That's how cracklib() gets pulled in.)
> 
> 
> [As far as I remember, it has to be a modified cracklib for some
> reason, which is a pain, and means it can't readily go into OS
> distributions.]
> 
> 
>>Why not just write a Heimdal module that calls PAM if that's the way
>>you want to do it?  
> 
> 
> Of course that's what you'd do if you didn't want to modify the source
> or try to contribute the support, though I vaguely remember spotting a
> catch.  However, if the system has PAM, it should just be available by
> default; then you can just drop a heimdal-kdc into pam.conf.d as you
> want.  It's arguable what should happen with the existing mechanism in
> that case.
> 
> Anyway, PAM support is really needed elsewhere -- at least in the
> login program.  Otherwise there's a serious problem with access
> control in an SSO system running a properly-Kerberized telnetd, at
> least.  Obviously there should be support for similar systems to PAM
> where appropriate, but I'm only familiar with OSF's moribund SIA.
> 
> I'm surprised if this would be controversial if someone contributed
> clean code.  Sorry I can't.
> 
Um, I am not sure what you mean here.

Do you mean something like pam_krb5 as (Heimdal being an authenticator 
mechanism/kinit starter)?  That already exists at least for Heimdal in 
Linux PAM and should be somewhat portable if not elsewhere.

Do you mean making Heimdal delegate to PAM like an smtp or login service 
would(authentication and/or just checking passwords)? I am not sure that 
is a good idea either way.  Heimdal should be the ultimate authority on 
principals.  It is a bit much just to plug it in for password checking, 
but I think it could be done with a wrapper.

As for 'k'telnet, well I guess it would be up to its implementation but 
I don't see why it couldn't go straight to kerberos and optionally fall 
back to pam for authentication.  Things like the session and other acls 
could be put in through pam either way. But, that is not specific to pam 
and heimdal, just to a robust ktelnet service.  That is how openssh is 
supposed to work with kerberos and pam together.