[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why Samba didn't use pam to hook into cracklib

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: Why Samba didn't use pam to hook into cracklib
From: Howard Chu <hyc@highlandsun.com>
Date: Sat, 09 Apr 2005 21:53:44 -0700
Cc: heimdal-discuss@sics.se, samba-technical@samba.org
In-Reply-To: <1113088139.25836.30.camel@amy.samba4.abartlet.net>
References: <1113088139.25836.30.camel@amy.samba4.abartlet.net>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050401

Andrew Bartlett wrote:
> Finally, I should note my views on where this password quality check
> should be peformed.  In an ideal world, I would perform this password
> quality check in the LDAP server too which Samba and Heimdal both read
> their password databases from.  The password server should obtain a
> plaintext password (via for example the OpenLDAP password setup ExOP),
> and it should return a status regarding the quality of the password, if
> it were too poor.  Preferably this would include a text error string,
> for communication to the client if supported by the relevant protocols.
> (And then a good password would be set in all encryption types and Samba
> hashes, into the LDAP DB).

Funny that you should say that, this is exactly what HP is doing. The 
password policy overlay in OpenLDAP has a hook for dynamically loading a 
password quality checker and the HP folks use this hook to run cracklib 
on the incoming passwords.

> However, in a world where we don't yet do this, (Samba doesn't pass back
> specific errors from ldap very well, heimdal doesn't use the password
> set API, and we should cover the hdb-db), I would suggest cracklib be
> integrated into the password check API of heimdal as a child process, so
> that the two ways that a password may be set in my current directory
> setup are covered with some kind of check.  On my unix workstations,
> I'll probably also enforce local pam_cracklib, as this can get previous
> passwords, as well as return decent error strings.

I guess it's worth considering for those sites that use a non-LDAP hdb 
backing store. For sites that use the Heimdal KDC backed by LDAP there's 
really no reason to do password changes through anything besides LDAP.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: Why Samba didn't use pam to hook into cracklib
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- Why Samba didn't use pam to hook into cracklib
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: Why Samba didn't use pam to hook into cracklib
Next by Date: Re: Hmmm. Dump compatibility between Heimdal versions?
Prev by thread: Why Samba didn't use pam to hook into cracklib
Next by thread: Re: Why Samba didn't use pam to hook into cracklib
Index(es):
- Date
- Thread