On Thu, 2003-01-16 at 20:42, David Lee wrote: > On Wed, 15 Jan 2003, Pierre Belanger wrote: > > > Last night I did a "grep -i todo" in the source code, to see > > if I could contribute a little bit more ;-) I found the > > following: > > > > smbd/chgpasswd.c: /* TODO: Add cracklib support here */ > > > > I started working on this last night (using SAMBA_3_0 > > branch) and do have something working (the "configure.in", > > documentation, etc is not done yet). I had to make my own > > "API" to cracklib to make this work because the original API > > uses getuid() and getpwuid() to get the username and fullname > > (gecos). I also found a lot of places in the cracklib code > > that is really not "full-proof". So... in the search for > > a better solution: > > > > Tonight, I checked the "cracklib" included in "npasswd". > > (I found a bug, it's also in the original cracklib!!!) > > There isn't a better "API", still uses getuid()/getpwuid(). > > I am now a couple of years out of touch with "cracklib" stuff, so check > what I say, don't necessarily believe it! > > There is some actively maintained "cracklib" material in the "Linux-PAM" > project: > http://sourceforge.net/projects/pam > > My understanding is that "Linux-PAM" is used widely on various Linux > distributions (I have very little first-hand knowledge of Linux). It also > (notwithstanding the name) aims to be compatible with other PAM-enabled > OSes (Solaris, HP, ...). Indeed we have been running Linux-PAM's cracklib > in our Solaris PAM structure for a couple of years. (It's so neat, it > doesn't require any maintenance attention, so I have now forgotten its > detail!) > > So I would suggest exploring the possibilities that might be provided by > Linux-PAM.
Linux-PAM can't help us here - because we don't have the old password to work with. This means we have to do this as root, so the modules-as-shipped will bypass the checks. If we have to get some custom PAM configuration then we are better to just bring it into smbd. > Bear in mind, too, that Andrew Bartlett is doing much work > within Samba to rationalise and add modular flexibility to its > authentication subsystem, including cooperating with PAM (for those > systems that have it). Yes, I added the code that would allow this, and the TODO :-) > If I recall correctly it does require an external "cracklib" library. > But exploring this route might help with constructing a suitable, mutually > sympathetic API for Samba/crack (and possible PAM) interactions. > > > > Do I continue working on this or not? > > Your ideas sound promising. I'm simply suggesting exploring what > possibilities (if any) may exist with Linux-PAM's cracklib module and its > related things, and coordinating this work with Andrew Bartlett's work > withing Samba to achieve maximum mutual benefit to both projects > (Linux-PAM and Samba) and minimal risk of code-forking and fragmentation. Don't worry, there is no risk of that. I'll be working closely on this. (It is on my todo list before term starts anyway - in fact, thanks for reminding me about it :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
