[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: passwd



Al Longyear writes:
>The actual passwd+ code for strength testing the passwords is complete   
>and functional. I am not aware, or perhaps have forgotten if I was   
>informed, of any problems with the code. If I missed something, then I'll   
>fix it.

I didn't realize that the passwd+ module did nearly as much as it did.  I
only mentioned npasswd (we actually use npasswd-boulder, so I may have
been a bit misleading) because I was thinking from the base of existing
software.

passwd+ should be sufficient, and that makes me happy because it makes
my job easier.  Thanks for pointing this out to me.  I'll make it the
default, and be pleased.

>I do have one request however, and that is that people who distribute the   
>package (as, for example, RedHat when they build their distribution to   
>use PAM) also include the passwd+ module code with it. You don't need to   
>hook it into the /etc/pam.conf file, but at least include it with the   
>rest of the modules. Please just don't 'pick and choose' what you will   
>package with a distribution. That is not fair.

I will not be removing *any* modules for Red Hat, don't worry.
I'm not a fascist.  I just want to do the right thing and not
break Red Hat in the process of pamifying it...  We will include
every module in Linux-PAM that doesn't violate export restrictions.
That is, we can't ship a kerberos module with Red Hat, but we
*can* put it on the ftp site.  Other than that, there is no reason
for us to be stupid...

One thing that npasswd did right that passwd+ doesn't seem to is that
when passing the password to a helper application, it popens it and
passes it on stdin instead of as a command-line argument.  Passing
passwords as command-line arguments (such as with the ispell.test
shell script) is a very, very bad idea.  We really want to have
dictionary checking, but doing it the way the passwd+ module currently
does it is more insecure than not doing it at all.

Al, can you fix that?

Thanks very much,

michaelkjohnson

"Ever wonder why the SAME PEOPLE make up ALL the conspiracy theories?"




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []