diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-08-31 01:40:19 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-08-31 01:40:19 +0000 |
commit | 71f887d2566241acb305158a0167fd9b7f8ac387 (patch) | |
tree | 8e33c94e55e806029ac6ecb36a78424e06d93d76 | |
parent | 660628789b79e8a52dd046dda553d6de8d4d87bb (diff) | |
download | krb5-71f887d2566241acb305158a0167fd9b7f8ac387.zip krb5-71f887d2566241acb305158a0167fd9b7f8ac387.tar.gz krb5-71f887d2566241acb305158a0167fd9b7f8ac387.tar.bz2 |
For the password quality interface:
* Add a languages argument to the check method to allow localization
of error messages (currently no languages are ever passed, though).
* Add an error code KADM5_PASS_Q_GENERIC.
* In most built-in modules and the combo module, set an error message
with krb5_set_error_message.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24279 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | pwqual_combo/combo.c | 8 | ||||
-rw-r--r-- | src/include/krb5/pwqual_plugin.h | 18 | ||||
-rw-r--r-- | src/lib/kadm5/kadm_err.et | 1 | ||||
-rw-r--r-- | src/lib/kadm5/srv/pwqual.c | 2 | ||||
-rw-r--r-- | src/lib/kadm5/srv/pwqual_dict.c | 2 | ||||
-rw-r--r-- | src/lib/kadm5/srv/pwqual_empty.c | 7 | ||||
-rw-r--r-- | src/lib/kadm5/srv/pwqual_hesiod.c | 10 | ||||
-rw-r--r-- | src/lib/kadm5/srv/pwqual_princ.c | 7 |
8 files changed, 37 insertions, 18 deletions
diff --git a/pwqual_combo/combo.c b/pwqual_combo/combo.c index 34e6daa..1a52ef4 100644 --- a/pwqual_combo/combo.c +++ b/pwqual_combo/combo.c @@ -135,7 +135,7 @@ combo_open(krb5_context context, const char *dict_file, static krb5_error_code combo_check(krb5_context context, krb5_pwqual_moddata data, const char *password, const char *policy_name, - krb5_principal princ) + krb5_principal princ, const char **languages) { combo_moddata dict = (combo_moddata)data; size_t i, j, len, pwlen; @@ -153,8 +153,12 @@ combo_check(krb5_context context, krb5_pwqual_moddata data, continue; remainder = password + len; for (i = 0; i < dict->word_count; i++) { - if (strcasecmp(remainder, dict->word_list[i]) == 0) + if (strcasecmp(remainder, dict->word_list[i]) == 0) { + krb5_set_error_message(context, KADM5_PASS_Q_DICT, + "Password may not be a pair of " + "dictionary words"); return KADM5_PASS_Q_DICT; + } } } diff --git a/src/include/krb5/pwqual_plugin.h b/src/include/krb5/pwqual_plugin.h index 8fe5c61..61f8062 100644 --- a/src/include/krb5/pwqual_plugin.h +++ b/src/include/krb5/pwqual_plugin.h @@ -67,16 +67,24 @@ typedef krb5_error_code /* * Mandatory: Check a password for the principal princ, which has an associated * password policy named policy_name (or no associated policy if policy_name is - * NULL). Return one of the following errors if the password check fails: + * NULL). The parameter languages, if not NULL, contains a null-terminated + * list of client-specified language tags as defined in RFC 5646. The method + * should return one of the following errors if the password fails quality + * standards: * - * - KADM5_PASS_Q_TOOSHORT - * - KADM5_PASS_Q_CLASS - * - KADM5_PASS_Q_DICT + * - KADM5_PASS_Q_TOOSHORT: password should be longer + * - KADM5_PASS_Q_CLASS: password must have more character classes + * - KADM5_PASS_Q_DICT: password contains dictionary words + * - KADM5_PASS_Q_GENERIC: unspecified quality failure + * + * The module should also set an extended error message with + * krb5_set_error_message(). The message may be localized according to one of + * the language tags in languages. */ typedef krb5_error_code (*krb5_pwqual_check_fn)(krb5_context context, krb5_pwqual_moddata data, const char *password, const char *policy_name, - krb5_principal princ); + krb5_principal princ, const char **languages); /* Optional: Release resources used by module data. */ typedef void diff --git a/src/lib/kadm5/kadm_err.et b/src/lib/kadm5/kadm_err.et index a6086b1..5530cca 100644 --- a/src/lib/kadm5/kadm_err.et +++ b/src/lib/kadm5/kadm_err.et @@ -61,4 +61,5 @@ error_code KADM5_SETKEY3_ETYPE_MISMATCH, "Mismatched enctypes for setkey3" error_code KADM5_MISSING_KRB5_CONF_PARAMS, "Missing parameters in krb5.conf required for kadmin client" error_code KADM5_XDR_FAILURE, "XDR encoding error" error_code KADM5_CANT_RESOLVE, "Cannot resolve network address for admin server in requested realm" +error_code KADM5_PASS_Q_GENERIC, "Unspecified password quality failure" end diff --git a/src/lib/kadm5/srv/pwqual.c b/src/lib/kadm5/srv/pwqual.c index cc92612..646bfcb 100644 --- a/src/lib/kadm5/srv/pwqual.c +++ b/src/lib/kadm5/srv/pwqual.c @@ -111,5 +111,5 @@ k5_pwqual_check(krb5_context context, pwqual_handle handle, krb5_principal princ) { return handle->vt.check(context, handle->data, password, policy_name, - princ); + princ, NULL); } diff --git a/src/lib/kadm5/srv/pwqual_dict.c b/src/lib/kadm5/srv/pwqual_dict.c index 18892a0..2df9a8b 100644 --- a/src/lib/kadm5/srv/pwqual_dict.c +++ b/src/lib/kadm5/srv/pwqual_dict.c @@ -214,7 +214,7 @@ dict_open(krb5_context context, const char *dict_file, static krb5_error_code dict_check(krb5_context context, krb5_pwqual_moddata data, const char *password, const char *policy_name, - krb5_principal princ) + krb5_principal princ, const char **languages) { dict_moddata dict = (dict_moddata)data; diff --git a/src/lib/kadm5/srv/pwqual_empty.c b/src/lib/kadm5/srv/pwqual_empty.c index ba25502..df3505a 100644 --- a/src/lib/kadm5/srv/pwqual_empty.c +++ b/src/lib/kadm5/srv/pwqual_empty.c @@ -35,12 +35,15 @@ static krb5_error_code empty_check(krb5_context context, krb5_pwqual_moddata data, const char *password, const char *policy_name, - krb5_principal princ) + krb5_principal princ, const char **languages) { /* Unlike other built-in modules, this one operates even for principals * with no password policy. */ - if (*password == '\0') + if (*password == '\0') { + krb5_set_error_message(context, KADM5_PASS_Q_TOOSHORT, + "Empty passwords are not allowed"); return KADM5_PASS_Q_TOOSHORT; + } return 0; } diff --git a/src/lib/kadm5/srv/pwqual_hesiod.c b/src/lib/kadm5/srv/pwqual_hesiod.c index f8862a3..993992d 100644 --- a/src/lib/kadm5/srv/pwqual_hesiod.c +++ b/src/lib/kadm5/srv/pwqual_hesiod.c @@ -94,7 +94,7 @@ str_check_gecos(char *gecos, const char *pwstr) static krb5_error_code hesiod_check(krb5_context context, krb5_pwqual_moddata data, const char *password, const char *policy_name, - krb5_principal princ) + krb5_principal princ, const char **languages) { #ifdef HESIOD extern struct passwd *hes_getpwnam(); @@ -108,12 +108,12 @@ hesiod_check(krb5_context context, krb5_pwqual_moddata data, n = krb5_princ_size(handle->context, princ); for (i = 0; i < n; i++) { - cp = krb5_princ_component(handle->context, princ, i)->data; - if (strcasecmp(cp, password) == 0) - return KADM5_PASS_Q_DICT; ent = hes_getpwnam(cp); - if (ent && ent->pw_gecos && str_check_gecos(ent->pw_gecos, password)) + if (ent && ent->pw_gecos && str_check_gecos(ent->pw_gecos, password)) { + krb5_set_error_message(context, KADM5_PASS_Q_DICT, + "Password maynot match user information."); return KADM5_PASS_Q_DICT; + } } #endif /* HESIOD */ return 0; diff --git a/src/lib/kadm5/srv/pwqual_princ.c b/src/lib/kadm5/srv/pwqual_princ.c index 06393a1..dfe5f20 100644 --- a/src/lib/kadm5/srv/pwqual_princ.c +++ b/src/lib/kadm5/srv/pwqual_princ.c @@ -35,7 +35,7 @@ static krb5_error_code princ_check(krb5_context context, krb5_pwqual_moddata data, const char *password, const char *policy_name, - krb5_principal princ) + krb5_principal princ, const char **languages) { int i, n; char *cp; @@ -51,8 +51,11 @@ princ_check(krb5_context context, krb5_pwqual_moddata data, return KADM5_PASS_Q_DICT; for (i = 0; i < n; i++) { cp = krb5_princ_component(handle->context, princ, i)->data; - if (strcasecmp(cp, password) == 0) + if (strcasecmp(cp, password) == 0) { + krb5_set_error_message(context, KADM5_PASS_Q_DICT, + "Password may not match principal name"); return KADM5_PASS_Q_DICT; + } } return 0; |