static krb5_error_code
combo_check(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ)
+ krb5_principal princ, const char **languages)
{
combo_moddata dict = (combo_moddata)data;
size_t i, j, len, pwlen;
continue;
remainder = password + len;
for (i = 0; i < dict->word_count; i++) {
- if (strcasecmp(remainder, dict->word_list[i]) == 0)
+ if (strcasecmp(remainder, dict->word_list[i]) == 0) {
+ krb5_set_error_message(context, KADM5_PASS_Q_DICT,
+ "Password may not be a pair of "
+ "dictionary words");
return KADM5_PASS_Q_DICT;
+ }
}
}
/*
* Mandatory: Check a password for the principal princ, which has an associated
* password policy named policy_name (or no associated policy if policy_name is
- * NULL). Return one of the following errors if the password check fails:
+ * NULL). The parameter languages, if not NULL, contains a null-terminated
+ * list of client-specified language tags as defined in RFC 5646. The method
+ * should return one of the following errors if the password fails quality
+ * standards:
*
- * - KADM5_PASS_Q_TOOSHORT
- * - KADM5_PASS_Q_CLASS
- * - KADM5_PASS_Q_DICT
+ * - KADM5_PASS_Q_TOOSHORT: password should be longer
+ * - KADM5_PASS_Q_CLASS: password must have more character classes
+ * - KADM5_PASS_Q_DICT: password contains dictionary words
+ * - KADM5_PASS_Q_GENERIC: unspecified quality failure
+ *
+ * The module should also set an extended error message with
+ * krb5_set_error_message(). The message may be localized according to one of
+ * the language tags in languages.
*/
typedef krb5_error_code
(*krb5_pwqual_check_fn)(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ);
+ krb5_principal princ, const char **languages);
/* Optional: Release resources used by module data. */
typedef void
error_code KADM5_MISSING_KRB5_CONF_PARAMS, "Missing parameters in krb5.conf required for kadmin client"
error_code KADM5_XDR_FAILURE, "XDR encoding error"
error_code KADM5_CANT_RESOLVE, "Cannot resolve network address for admin server in requested realm"
+error_code KADM5_PASS_Q_GENERIC, "Unspecified password quality failure"
end
krb5_principal princ)
{
return handle->vt.check(context, handle->data, password, policy_name,
- princ);
+ princ, NULL);
}
static krb5_error_code
dict_check(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ)
+ krb5_principal princ, const char **languages)
{
dict_moddata dict = (dict_moddata)data;
static krb5_error_code
empty_check(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ)
+ krb5_principal princ, const char **languages)
{
/* Unlike other built-in modules, this one operates even for principals
* with no password policy. */
- if (*password == '\0')
+ if (*password == '\0') {
+ krb5_set_error_message(context, KADM5_PASS_Q_TOOSHORT,
+ "Empty passwords are not allowed");
return KADM5_PASS_Q_TOOSHORT;
+ }
return 0;
}
static krb5_error_code
hesiod_check(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ)
+ krb5_principal princ, const char **languages)
{
#ifdef HESIOD
extern struct passwd *hes_getpwnam();
n = krb5_princ_size(handle->context, princ);
for (i = 0; i < n; i++) {
- cp = krb5_princ_component(handle->context, princ, i)->data;
- if (strcasecmp(cp, password) == 0)
- return KADM5_PASS_Q_DICT;
ent = hes_getpwnam(cp);
- if (ent && ent->pw_gecos && str_check_gecos(ent->pw_gecos, password))
+ if (ent && ent->pw_gecos && str_check_gecos(ent->pw_gecos, password)) {
+ krb5_set_error_message(context, KADM5_PASS_Q_DICT,
+ "Password maynot match user information.");
return KADM5_PASS_Q_DICT;
+ }
}
#endif /* HESIOD */
return 0;
static krb5_error_code
princ_check(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ)
+ krb5_principal princ, const char **languages)
{
int i, n;
char *cp;
return KADM5_PASS_Q_DICT;
for (i = 0; i < n; i++) {
cp = krb5_princ_component(handle->context, princ, i)->data;
- if (strcasecmp(cp, password) == 0)
+ if (strcasecmp(cp, password) == 0) {
+ krb5_set_error_message(context, KADM5_PASS_Q_DICT,
+ "Password may not match principal name");
return KADM5_PASS_Q_DICT;
+ }
}
return 0;
projects / thirdparty / krb5.git / commitdiff
