Re: ppolicy: pardon password history

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Mon, Apr 20, 2015 at 07:28:31PM +0200, Michael Ströder wrote:

> hercherf@hrz.uni-marburg.de wrote:
> >Whenever a login fails due to a invalid password, the ppolicy-module will
> >count this as a failure. After a configurable number of password failures in a
> >given time, ppolicy will take action and - for example - lock the acount. I
> >have tried to tweak this behaviour: When the password is found in the password
> >history, the ppolicy-module will not count this as a password failure. If
> >anyone is interested in this, please find the attached patch which also
> >includes a working example configuration/testcase.
> 
> I guess this change would open a can of worms, e.g. when password
> expiry is in effect.

Should be OK: it is not allowing authentication with an old password,
just not counting it against the lockout criteria. If one *has* to have
password lockout then I think something like this is essential to reduce
the risk of denial-of-service to legitimate users.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------