[sork] Re: [dev] Password expiry
Eric Rostetter
eric.rostetter at physics.utexas.edu
Wed Feb 5 10:41:57 PST 2003
Quoting Jeroen Huinink <j.huinink at wanadoo.nl>:
> > This is the job of the backend system/changer. That is, my poppassd
> server
> > should be checking this if my system supports it, etc. Of course, that
> > is also true of the strength tests we put in. We put them in anyway since
> > so many backends are broken...
>
> Exactly. So why do we have the other strength tests and do not check for old
> passwords.
Because strength tests don't involve storage backends, and hence are easier.
And because a lot of people wanted/requested the strength tests that are
there, and you are the first to propose old password storage/checks.
> > Having horde/sork store users passwords just doesn't seem right to me.
> > Sure, we could do it. But should we? I'll think about it. I supposed if
> > they are stored encrypted (one-way) it wouldn't be too bad. But it means
> > adding database support as a requirement to passwd (at least if using this
> > option), which currently isn't a requirment.
>
> You can optionally switch on the other strengths checks. You could do the
> same for checking against old passwords. The fields required for this could
> be added to the horde_users table.
Agree. Still adds complexity/requirements (if the option is on).
> > The big problem I see is getting the expiration information from the
> system.
>
> I think that we need a solution that implements different backends for this,
> similar to the backends that you now have in sork.
Agreed. If you send me your php cron-job, with documentation, I'll see
what I can do with it.
> You might need to make
> changes to some authentication backends and/or password backends to allow
> storage of "last change date".
In general, we would want to use the system's support for this. I suppose
we might need to add support to some backends (e.g. sql) if it doesn't
support it natively.
> I have a script that needs to be ran as root and uses the linux (unix?)
> "chage" command.
It really is a problem needing to run it as root, since Horde has no
access to root (I hope) without doing things like spawning sudo/su.
> You can use "chage -l <user>" to get the information for the current user or
> for every user (if you are root). I am cleaning up our script and will send
> it later.
Okay.
> > We just need to know how to get this expiration information on various OS
> > models.
>
> As I said this should/could be implemented through different backends (and
> some might support this and others not).
*nod*
> Regards,
> Jeroen
>
> PS I am working on implementing a Horde_relationships class otherwise I
> would volunteer to work on this. If there is somebody else who wants to take
> this on? It will probably take some time before I could pick this one up.
I'll look at it, but since I have no real use for it, I won't make any
promises.
--
Eric Rostetter
The Department of Physics
The University of Texas at Austin
Why get even? Get odd!
More information about the sork
mailing list