[sork] Re: [dev] Password expiry

Wed Feb 5 17:10:37 PST 2003

"Eric Rostetter" <eric.rostetter at physics.utexas.edu> wrote:
> Quoting Jeroen Huinink <j.huinink at wanadoo.nl>:
>
> > The way we set it up is to use IMAP authentication. This simply fails
when
> > your password is expired so you cannot log into horde to change your
> > password
>
> As it should (although you don't need to login to Horde to change your
> password via sork, at least in HEAD.  But in any case, if it is expired,
> sork won't be able to verify you and therefor won't change your password).

That is precisely my point. If you have no other access to the backend
system you will not be able to change your password after it expires.

> > I really like the password strength tests in sork, but if you want to
> > enforce a strict password policy, you would also like to store old
passwords
> > so the user cannot simply alternate between two or three passwords.
>
> This is the job of the backend system/changer.  That is, my poppassd
server
> should be checking this if my system supports it, etc.  Of course, that
> is also true of the strength tests we put in.  We put them in anyway since
> so many backends are broken...

Exactly. So why do we have the other strength tests and do not check for old
passwords.

> Having horde/sork store users passwords just doesn't seem right to me.
> Sure, we could do it.  But should we?  I'll think about it.  I supposed if
> they are stored encrypted (one-way) it wouldn't be too bad.  But it means
> adding database support as a requirement to passwd (at least if using this
> option), which currently isn't a requirment.

You can optionally switch on the other strengths checks. You could do the
same for checking against old passwords. The fields required for this could
be added to the horde_users table.

> The big problem I see is getting the expiration information from the
system.

I think that we need a solution that implements different backends for this,
similar to the backends that you now have in sork. You might need to make
changes to some authentication backends and/or password backends to allow
storage of "last change date".

> > What I did now is create a php shell script that we will be running as a
> > cron job that sends an e-mail warning when a password is about to
expire.
>
> If you can find a way to get the expiration info from php, then it is
trivial
> to put a warning into horde.  If you can do this via a command line
command
> on your horde web server, then you can template it off the comamnd line
> quota code.  I just don't know how you can get the expiration time of the
> user's password.

I have a script that needs to be ran as root and uses the linux (unix?)
"chage" command.

> > I'll see if I can generalize this and share this with the list if there
is
> > interest.
>
> Actually, if you can find a way to get the info, I might be willing to
> put it into the accounts module summary screen.  Once that is done, it
> should be trival to integrate it into Horde more generally.

You can use "chage -l <user>" to get the information for the current user or
for every user (if you are root). I am cleaning up our script and will send
it later.

> We just need to know how to get this expiration information on various OS
> models.

As I said this should/could be implemented through different backends (and
some might support this and others not).

Regards,
Jeroen

PS I am working on implementing a Horde_relationships class otherwise I
would volunteer to work on this. If there is somebody else who wants to take
this on? It will probably take some time before I could pick this one up.