> We could introduce some kind of opt-in global configuration for the > more consistent meaning; I'm just not sure if it's worth the code > and documentation footprint.
Yeah, seems questionable. Bummer about the 0 being 1, though. Chris On 2013-06-19 21:25, Greg Hudson wrote: > On 06/19/2013 05:15 PM, Chris Hecker wrote: >> Is there a way to disable the error case for chpass to the same >> password? If somebody thinks they've forgotten their password, and I >> send them a change password link and they type the old password in, >> that's fine with me. I don't see a way to specify this in the policy, >> and the mit kadm5 code seems to always do the check, in my cursory >> examination? > > This is a tough call. There is a nonlinearity in the policy code--a > policy -history value of 0 means the same thing as 1--which is most > likely a historical bug. Obviously it would be better if 0 had the > distinct meaning of "no password reuse checking at all". > > However, changing it now could reduce the security of existing > deployments, which we try hard to avoid. In particular, sites which > enforce a minimum and maximum password lifetime, but have neglected to > set the -history value to 1 or more, would start allowing users to > change their password back to the same value again, defeating the point > of the lifetime restrictions. > > We could introduce some kind of opt-in global configuration for the more > consistent meaning; I'm just not sure if it's worth the code and > documentation footprint. > > . > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
