Re: [owl-users] pam_passwdqc and history

From: Vincent Danen (vdanen@private)
Date: Sat Jun 23 2007 - 19:16:06 PDT


* (GalaxyMaster) <galaxy@private> [2007-06-24 01:23:46 +0400]:

>Thanks for a good question I was wondering whether it could be done on
>Owl too (however, I haven't investigated the issue for real).

I had actually never thought of it before, but I'm trying to convince
some of the other folks at Mandriva to use pam_passwdqc and tcb by
default... =)  Makes for some rather stunning arguments.

>On Sun, Jun 24, 2007 at 12:53:51AM +0400, gremlin@private wrote:
>> 
>> It does NOT and, I hope, never will - all these "password
>> history policies" require storing plaintext password somewhere,
>> which is absolutely inacceptable. The only possible check is
>
>Gremlin, I know at least a couple of techniques how to perform this check
>without storing the plain text version of password, so you might be wrong
>in your claims.  JFYI.

Yeah, I wouldn't think it needed to be plaintext either, but (and I read
Solar's response to this before replying so I'm also somewhat replying
to that), I agree with his opinion.  For instance, storing it as a hash
means you can't really check to see any deviations from it (how do you
know john12 is too close to john23 without it being reverable?).  Which
means it would either need to reversible or, as stated above, in
plaintext.  Both of which, to me, are bad ideas now that I think about.
And I didn't give it much thought before posing the question as I wanted
the "expert" opinion.

>I'd like to see Solar's opinion on this.  I think that although it's
>a little bit complicated since we need to store some additional metadata
>per account this option could be implemented and it would have its users
>(not only Vincent and me but a broader range of users :) ).

I'm sure many users would use it.  I, for myself, see no real need for
it.  But some of the other folks in Mandriva seem to think it
necessary.

But now I have an excellent post from Solar (thanks for that!) to
forward so I can tell them to stop being so foolish.  =)

-- 
Vincent Danen @ http://linsec.ca/





This archive was generated by hypermail 2.1.3 : Sat Jun 23 2007 - 19:17:04 PDT