[Fedora-directory-users] Re: enforce strong passwords
Richard Megginson
rmeggins at redhat.com
Fri Jan 20 01:16:38 UTC 2006
Howard Chu wrote:
>>
>> Message: 5 Date: Thu, 19 Jan 2006 14:25:16 -0700 From: Richard
>> Megginson <rmeggins at redhat.com> Jo De Troy wrote: > Hello,
>>
>>> >
>>> > I was wondering if anyone was looking into enforcement of strong >
>>> passwords.
>>> > I'm not a hardcore C programmer but I'm willing to help. But first
>>> > I'll have to try in getting the current version compiled.
>>> > I'm certainly willing to do some testing.
>>>
>>
>>
>> Funny you should mention that. We're looking at that issue right
>> now. What sort of things would you want to check for?
>> min number of lower case
>> min number of upper case
>> min number of digits
>> min number of alphanumerics
>> min number of special chars
>> no user data in password
>> dictionary checking? If so, how? /usr/share/dict/words?
>>
>>
>
> For OpenLDAP's password policy module we define an attribute in the
> policy object that gives the pathname of a dynamically loaded module
> that can perform further quality checks. We pass in the password that
> is being set, an error string pointer, and the user's current entry
> and get a yes/no result code back. I suggest a similar approach here;
> it's too limiting to just hardcode one set of rules into the server.
> (Heck, if we used SLAPI, we could write these modules interchangeably
> between OpenLDAP and FDS.) Symas currently has a module that checks
> against cracklib. You could bundle one or two standard modules and go
> from there. Probably we should have extended our API to include a
> pointer to the current policy object as well. The point is to make the
> API simple enough and expressive enough that end-users can plug in
> whatever constraints they want.
Yes. That's the intention - make password policy pluggable. It's going
to be a bit more work to add the entry points to the code. We should
support the attribute that you described.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060119/24ea732b/attachment.bin>
More information about the Fedora-directory-users
mailing list