password quality script aka --with-cracklib replacement

Andrew Bartlett abartlet at samba.org
Thu Feb 13 20:43:57 GMT 2003


On Fri, 2003-02-14 at 02:09, David Collier-Brown -- Customer Engineering
wrote:
> Martin Pool wrote:
> > The PAM module might store previous passwords in a database (e.g. tdb)
> > that it maintains.  Every time a password is set, it gets put in
> > there, with any other appropriate information (date?).  When a new
> > password-setting attempt is made, it checks against the history, plus
> > other strength checks.
> 
> 	Do we even need to save the decrypted password?
> 	A colleague once saved old encrypted passwords
> 	to allow the "do they really know the old one"
> 	test to be done via challange-response.

Anybody doing this 'must change password every x days' thing has to
store the decrypted password, or else your users change from password1
to password2 to password3 then back to password1.

We need to allow this possibility.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030214/d5b559f4/attachment.bin


More information about the samba-technical mailing list