Gary Winiger wrote: >>> Can this be built as a library (say libpwgen) so that we can implement a >>> PAM module around this ? I see value in it being a standalone program >>> but even more value in also having a PAM module (this would be used >>> instead of or stacked above pam_authtok_get in some configurations). > > I don't believe we want to provide such a module. It has far > broader implications than having a command.
Well I respectively disagree, I do want to provide such a module. Yes it does have much broader implication and I wasn't suggesting that this case actually provide or design/architect the module. I just wanted to know if this case could provide building blocks for some future case. > What if the password > generated conflicts with the password policies in /etc/default/....? IMO you wouldn't deploy a password generation module and the current pam_authtok_check in the same stack for exactly this reason. > It has been considered in the past particularly with the fips 181 > password generator (that as from their source, is crypto encumbered). > > If there's going to be a PAM module, that needs to be a separate > case. I agree but there seems to be interesting stuff in this case that could be used to build such a future case so I wanted to know if this case could be delivered to help. I wasn't suggesting this case deliver the PAM module. -- Darren J Moffat
