[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy: pardon password history

To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Subject: Re: ppolicy: pardon password history
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 21 Apr 2015 14:24:01 +0200
Cc: hercherf@hrz.uni-marburg.de, openldap-devel@openldap.org
In-reply-to: <20150421101011.GB11964@slab.skills-1st.co.uk>
References: <20150420163706.Horde.gjucRgyPcQvxxRUE0J4-XA2@home.hrz.uni-marburg.de> <5535373F.6060907@stroeder.com> <20150421101011.GB11964@slab.skills-1st.co.uk>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1

Andrew Findlay wrote:

On Mon, Apr 20, 2015 at 07:28:31PM +0200, Michael Ströder wrote:

hercherf@hrz.uni-marburg.de wrote:

Whenever a login fails due to a invalid password, the ppolicy-module will
count this as a failure. After a configurable number of password failures in a
given time, ppolicy will take action and - for example - lock the acount. I
have tried to tweak this behaviour: When the password is found in the password
history, the ppolicy-module will not count this as a password failure. If
anyone is interested in this, please find the attached patch which also
includes a working example configuration/testcase.


I guess this change would open a can of worms, e.g. when password
expiry is in effect.


Should be OK: it is not allowing authentication with an old password,
just not counting it against the lockout criteria.

You're right that when the current password is expired also all passwords inthe password history cannot be used for a bind.

But think of the reason for password expiry: It's used to effectively forbidthe use of an old password for binding. The reason is that old passwords mighthave been compromised without the user or admin taking notice of the compromise.

So if the current password is valid, because pwdChangedTime is new enough, allold passwords can still be used for binding. That renders password expiryineffective.

'pwdHistory' also contains the password change timestamp for each passwordhash. So slapo-ppolicy's password expiry check would have to take thistimestamp into account instead of 'pwdChangedTime' attribute.

This would not help with usability when the former password was alreadyexpired and a new password was set *afterwards*. In this situation the userwill run into lockout anyway.

If one *has* to have password lockout then I think something like this is
essential to reduce the risk of denial-of-service to legitimate users.

When using automatic password lockout one has to carefully choose the lockoutparameters anyway to avoid adding a big DoS attack vector. But IMO that'ssomething completely different.

Before anything is changed in slapo-ppolicy we have to carefully discuss thecorner-cases.

(This reminds me of one long-running ietf-ldapext work-item: Getting passwordpolicy draft in good shape?)


Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- ppolicy: pardon password history
  - From: hercherf@hrz.uni-marburg.de
- Re: ppolicy: pardon password history
  - From: Michael Ströder <michael@stroeder.com>
- Re: ppolicy: pardon password history
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Prev by Date: Re: ppolicy: pardon password history
Next by Date: LMDB and gitorious
Index(es):
- Chronological
- Thread