On Mon, Oct 05, 2009 at 10:45:04AM -0400, Simo Sorce wrote: > > On Mon, 2009-10-05 at 14:06 +0200, Sumit Bose wrote: > > On Mon, Oct 05, 2009 at 06:48:14AM -0400, Simo Sorce wrote: > > > On Mon, 2009-10-05 at 10:45 +0200, Sumit Bose wrote: > > > > - currently PAM_AUTHTOK_EXPIRED is returned if the password is > > expired > > > > regardless of the supplied password is correct or not. Would it > > be > > > > better to return a different error if the password is wrong? > > > > > > We should return an auth error if the password is wrong I guess > > > (assuming we know at the same that the password is wrong and the > > real > > > password is expired). > > > > > > We shouldn't expose to the casual attacker that the password is > > expired. > > > > This is fixed in the new version of 0001 by trying to get a change > > password ticket. > > Uhmm I didn't realize the KDC always send the information back no matter > what password is used. > This is just public information then so perhaps we should just pass it > back as is ... > So technically I ack 0001 but we may want to use the previous version > anyway, what do you think ?
I asked Jenny for a third opinion and she vote for the second version, i.e. returning the wrong password error. bye, Sumit > > > > > - currently the pam_sss only asks the new password, because the > > > > current/old password is already known. Typically pam modules are > > > > asking for the current password for a second time (because the > > > > password is not know anymore) and the for the new one. I think > > this > > > > behaviour if often irritation people. Which version shall we > > use? > > > > > > Not sure, but as long as wee keep password change requests within > > the > > > auth module we can avoid asking for the current password once again, > > the > > > user just provided it, asking for it again adds nothing to the > > security > > > of the operation. > > > > > > I have a questions though (haven't looked at the patch yet). Do you > > send > > > back any message to the user before asking for the new password ? > > > > > > > Now a message is send to the user in the new version of 0003. > > 0002 is unchanged. > > ack 2 and 3 > > Simo. > > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
