[Klone-users] KLone version 2.1.0 released

[Radek]

On Wed, Apr 30, 2008 at 9:02 AM, thomas fossati <tho at koanlogic.com> wrote:
> Hi Radek, just a few thoughts ...
>
>
>  On Apr 29, 2008, at 1:34 PM, Radek wrote:
>
> >
> > > mmm a bit too late to put it into the release, but we can park it in
> wiki
> > > for the moment.  If you are going to work on integrating u_pwd into your
> > > app, we could perhaps update the "Login with KLone" page, no ?
> > >
> >
> > I need to rewrite my app to use this.  Its not so straight, I use some
> > time limited passwords.  But I have an image in my head.
> >
>
>  if you need to add some "policy" to your master password file you can use
> the .opaque field of an u_pwd_rec_t, pushing the intended semantics (i.e.
> time limits, usage counter, bad logins counter, etc.) into it:
>
>  =-=-=-=-=-=-=-=-=-=-=-=
>  user:db33f30c28364cd44195ed6105b82c29:my_policy_attrs
>  =-=-=-=-=-=-=-=-=-=-=-=
>
>  then in the code:
>
>  {
>         ...
>         dbg_err_if (u_pwd_retr(pwd, user, &user_rec));
>         user_policy_attr = u_pwd_rec_get_opaque(user_rec);
>         if (check_my_policy(user_policy_attr))
>                 ...
>
>
>  }

Thanx, it helps integrating my code into.
What I'm doing is this.
Some accounts, likely with greater access rights, have no simple
password but list of passwords.
When I detect such a login,  I look if it's special, and ask into
another dedicated password file but name looked for is not login but
some string created on the fly.
So for the user it pretends like the password is changing in time.
There is /should be also check that such an user can login only using
secure channel (https).

For now it's done in the code itself.  But I want use hashed passwords
in a couple of separated paswords files.
As I looked for examples, I think it could be done.


-- Radek