[PATCH] Password history support

Andrew Bartlett abartlet at samba.org
Wed Dec 24 11:50:14 GMT 2003


On Wed, 2003-12-24 at 20:43, Aurélien Degrémont wrote:
> Hi,
> 
> Could you give me some feedback about this ? In order to correct it, 
> enhance it. 

The salt should be variable, not just "salt" ;-)

Tack the salt to the front of the MD5ed output.  That way, you cannot
tell if two users had the same password in the past (ok, given we have
password equivilant values in the ntPassword field, the attacker who has
these has already won, but anyway...)

> I want to finish the missing backend support, but, before 
> that, i'd like to be sure the two first ones are ok, to avoid the same 
> mistakes.

It looks pretty good - except... ;-)

 - I would like a better data structure for internal use.  A char **,
not a long char *.

 - Develop a real system for manipulating the password history as a
queue - make the interface to the backends implement this.  The backends
should not be asked to rewrite the entire list, if we are just adding to
it.  Likewise, the backend can take care of clearing the list.

 - The ldap-based backend needs to be sorted (ie, each entry needs to
have a prefix of some kind, a rolling counter probably) or you cannot
know you are removing the last from the list.

 - pdb_set_plaintext_password should update the history, not the callers
(where we have the plaintext).  
 - Another helper function setting the password and updating the history
might be the right way to handle the other cases.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031224/1747dc35/attachment.bin


More information about the samba-technical mailing list