* (GalaxyMaster) <galaxy@private> [2007-06-24 01:23:46 +0400]: >Thanks for a good question I was wondering whether it could be done on >Owl too (however, I haven't investigated the issue for real). I had actually never thought of it before, but I'm trying to convince some of the other folks at Mandriva to use pam_passwdqc and tcb by default... =) Makes for some rather stunning arguments. >On Sun, Jun 24, 2007 at 12:53:51AM +0400, gremlin@private wrote: >> >> It does NOT and, I hope, never will - all these "password >> history policies" require storing plaintext password somewhere, >> which is absolutely inacceptable. The only possible check is > >Gremlin, I know at least a couple of techniques how to perform this check >without storing the plain text version of password, so you might be wrong >in your claims. JFYI. Yeah, I wouldn't think it needed to be plaintext either, but (and I read Solar's response to this before replying so I'm also somewhat replying to that), I agree with his opinion. For instance, storing it as a hash means you can't really check to see any deviations from it (how do you know john12 is too close to john23 without it being reverable?). Which means it would either need to reversible or, as stated above, in plaintext. Both of which, to me, are bad ideas now that I think about. And I didn't give it much thought before posing the question as I wanted the "expert" opinion. >I'd like to see Solar's opinion on this. I think that although it's >a little bit complicated since we need to store some additional metadata >per account this option could be implemented and it would have its users >(not only Vincent and me but a broader range of users :) ). I'm sure many users would use it. I, for myself, see no real need for it. But some of the other folks in Mandriva seem to think it necessary. But now I have an excellent post from Solar (thanks for that!) to forward so I can tell them to stop being so foolish. =) -- Vincent Danen @ http://linsec.ca/
This archive was generated by hypermail 2.1.3 : Sat Jun 23 2007 - 19:17:04 PDT