[sork] Re: [dev] Password expiry

Eric Rostetter eric.rostetter at physics.utexas.edu
Wed Feb 5 10:41:57 PST 2003


Quoting Jeroen Huinink <j.huinink at wanadoo.nl>:

> > This is the job of the backend system/changer.  That is, my poppassd
> server
> > should be checking this if my system supports it, etc.  Of course, that
> > is also true of the strength tests we put in.  We put them in anyway since
> > so many backends are broken...
> 
> Exactly. So why do we have the other strength tests and do not check for old
> passwords.

Because strength tests don't involve storage backends, and hence are easier.
And because a lot of people wanted/requested the strength tests that are
there, and you are the first to propose old password storage/checks.
 
> > Having horde/sork store users passwords just doesn't seem right to me.
> > Sure, we could do it.  But should we?  I'll think about it.  I supposed if
> > they are stored encrypted (one-way) it wouldn't be too bad.  But it means
> > adding database support as a requirement to passwd (at least if using this
> > option), which currently isn't a requirment.
> 
> You can optionally switch on the other strengths checks. You could do the
> same for checking against old passwords. The fields required for this could
> be added to the horde_users table.

Agree.  Still adds complexity/requirements (if the option is on).

> > The big problem I see is getting the expiration information from the
> system.
> 
> I think that we need a solution that implements different backends for this,
> similar to the backends that you now have in sork.

Agreed.  If you send me your php cron-job, with documentation, I'll see
what I can do with it.

> You might need to make
> changes to some authentication backends and/or password backends to allow
> storage of "last change date".

In general, we would want to use the system's support for this.  I suppose
we might need to add support to some backends (e.g. sql) if it doesn't
support it natively.

> I have a script that needs to be ran as root and uses the linux (unix?)
> "chage" command.

It really is a problem needing to run it as root, since Horde has no
access to root (I hope) without doing things like spawning sudo/su.

> You can use "chage -l <user>" to get the information for the current user or
> for every user (if you are root). I am cleaning up our script and will send
> it later.

Okay.
 
> > We just need to know how to get this expiration information on various OS
> > models.
> 
> As I said this should/could be implemented through different backends (and
> some might support this and others not).

*nod*

> Regards,
> Jeroen
> 
> PS I am working on implementing a Horde_relationships class otherwise I
> would volunteer to work on this. If there is somebody else who wants to take
> this on? It will probably take some time before I could pick this one up.

I'll look at it, but since I have no real use for it, I won't make any
promises.

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!


More information about the dev mailing list