On 06/19/2013 05:15 PM, Chris Hecker wrote: > Is there a way to disable the error case for chpass to the same > password? If somebody thinks they've forgotten their password, and I > send them a change password link and they type the old password in, > that's fine with me. I don't see a way to specify this in the policy, > and the mit kadm5 code seems to always do the check, in my cursory > examination?
This is a tough call. There is a nonlinearity in the policy code--a policy -history value of 0 means the same thing as 1--which is most likely a historical bug. Obviously it would be better if 0 had the distinct meaning of "no password reuse checking at all". However, changing it now could reduce the security of existing deployments, which we try hard to avoid. In particular, sites which enforce a minimum and maximum password lifetime, but have neglected to set the -history value to 1 or more, would start allowing users to change their password back to the same value again, defeating the point of the lifetime restrictions. We could introduce some kind of opt-in global configuration for the more consistent meaning; I'm just not sure if it's worth the code and documentation footprint. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
