diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-09-01 16:40:22 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-09-01 16:40:22 +0000 |
commit | bd399cad888d90e99da3e5787040b34da857a34e (patch) | |
tree | af01e6e0bd5b66a3dd3e05959f34e61623114916 /src/config-files | |
parent | 18fda42e0ef82c51228ba7cbfb3915330f0c352e (diff) | |
download | krb5-bd399cad888d90e99da3e5787040b34da857a34e.zip krb5-bd399cad888d90e99da3e5787040b34da857a34e.tar.gz krb5-bd399cad888d90e99da3e5787040b34da857a34e.tar.bz2 |
Password quality pluggable interface
Merge branches/plugins2 to trunk. Adds a password quality pluggable
interface described in this project page:
http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface
ticket: 6765
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24284 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/config-files')
-rw-r--r-- | src/config-files/krb5.conf.M | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index db3305f..2995aa2 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -110,6 +110,9 @@ Contains default values for database specific parameters. .IP [dbmodules] Contains database specific parameters used by the database library. + +.ip [plugins] +Contains plugin module registration and filtering parameters. .PP Each of these sections will be covered in more details in the following sections. @@ -682,6 +685,59 @@ is whitespace-separated. The LDAP server is specified by a LDAP URI. .IP ldap_conns_per_server This LDAP specific tag indicates the number of connections to be maintained per LDAP server. + +.SH PLUGINS SECTION + +Tags in the [plugins] section can be used to register dynamic plugin +modules and to turn modules on and off. Not every krb5 pluggable +interface uses the [plugins] section; the ones that do are documented +here. + +.PP +Each pluggable interface corresponds to a subsection of [plugins]. +All subsections support the same tags: + +.IP module +This tag may have multiple values. Each value is a string of the form +"modulename:pathname", which causes the shared object located at +pathname to be registered as a dynamic module named modulename for the +pluggable interface. If pathname is not an absolute path, it will be +treated as relative to the "krb5/plugins" subdirectory of the krb5 +library directory. + +.IP enable_only +This tag may have multiple values. If there are values for this tag, +then only the named modules will be enabled for the pluggable +interface. + +.IP disable +This tag may have multiple values. If there are values for this tag, +then the named modules will be disabled for the pluggable interface. + +.PP +The following subsections are currently supported within the [plugins] +section: + +.SS pwqual interface + +The pwqual subsection controls modules for the password quality +interface, which is used to reject weak passwords when passwords are +changed. In addition to any registered dynamic modules, the following +built-in modules exist (and may be disabled with the disable tag): + +.IP dict +Checks against the realm dictionary file + +.IP empty +Rejects empty passwords + +.IP hesiod +Checks against user information stored in Hesiod (only if Kerberos was +built with Hesiod support) + +.IP princ +Checks against components of the principal name + .SH FILES /etc/krb5.conf .SH SEE ALSO |