[sork] Re: [dev] Password expiry

[Eric Rostetter]

Quoting Jeroen Huinink <j.huinink at wanadoo.nl>:

> The problem that I see is that if you use a system with password expiry you
> never get a warning about this when using horde.

I understand.  And that is why I said you may want to contact the Horde 
developers about this, rather than the sork developers.  (which you
have now done). That is, it makes more sense in Horde than in sork, IMHO.

> we want to enforce a
> stricter password policy.

I'm all for that!
 
> The way we set it up is to use IMAP authentication. This simply fails when
> your password is expired so you cannot log into horde to change your
> password

As it should (although you don't need to login to Horde to change your
password via sork, at least in HEAD.  But in any case, if it is expired,
sork won't be able to verify you and therefor won't change your password).

> we would like to give our users a warning when they log on and
> require them to change their password if they are within a day of expiry.

There might be some way to merge such checks into the login, tos, or
maintenance portions of Horde.  Probably login since it is the only place
that gets done at each login.

If you can find a way to check the expiration status (and I have no idea
how to do this) then alerting the user is trivial.  Forcing the change is
a bit harder, but should be possible.
 
> I really like the password strength tests in sork, but if you want to
> enforce a strict password policy, you would also like to store old passwords
> so the user cannot simply alternate between two or three passwords.

This is the job of the backend system/changer.  That is, my poppassd server
should be checking this if my system supports it, etc.  Of course, that
is also true of the strength tests we put in.  We put them in anyway since
so many backends are broken...

Having horde/sork store users passwords just doesn't seem right to me.
Sure, we could do it.  But should we?  I'll think about it.  I supposed if
they are stored encrypted (one-way) it wouldn't be too bad.  But it means
adding database support as a requirement to passwd (at least if using this
option), which currently isn't a requirment.

> (On the
> IBM AS/400 that we use, something like 30 old passwords are stored...). I
> have some ideas on how to implement this. Opinions?

I'm an old VMS/OpenVMS guy, so I know what you mean.  Storing them is no
big deal (one-way encrypt them, store them in a data store (sql, ldap, etc).
Then compare the encrypted new password to the saved (old) encrypted passwords.

The big problem I see is getting the expiration information from the system.
 
> What I did now is create a php shell script that we will be running as a
> cron job that sends an e-mail warning when a password is about to expire.

If you can find a way to get the expiration info from php, then it is trivial
to put a warning into horde.  If you can do this via a command line command
on your horde web server, then you can template it off the comamnd line
quota code.  I just don't know how you can get the expiration time of the
user's password.

> I'll see if I can generalize this and share this with the list if there is
> interest.

Actually, if you can find a way to get the info, I might be willing to
put it into the accounts module summary screen.  Once that is done, it
should be trival to integrate it into Horde more generally.  

We just need to know how to get this expiration information on various OS
models.

> > This might be something that could go into Horde, but then you want to
> > post this to a different mailing list for comments.
> This is it.

Thanks!

> Regards,
> Jeroen

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!