On Mon, Apr 20, 2015 at 07:28:31PM +0200, Michael Ströder wrote: > herch...@hrz.uni-marburg.de wrote: > >Whenever a login fails due to a invalid password, the ppolicy-module will > >count this as a failure. After a configurable number of password failures in > >a > >given time, ppolicy will take action and - for example - lock the acount. I > >have tried to tweak this behaviour: When the password is found in the > >password > >history, the ppolicy-module will not count this as a password failure. If > >anyone is interested in this, please find the attached patch which also > >includes a working example configuration/testcase. > > I guess this change would open a can of worms, e.g. when password > expiry is in effect.
Should be OK: it is not allowing authentication with an old password, just not counting it against the lockout criteria. If one *has* to have password lockout then I think something like this is essential to reduce the risk of denial-of-service to legitimate users. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
