svn rev #24279: branches/plugins2/ pwqual_combo/ src/include/krb5/ src/lib/kadm5/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Mon Aug 30 21:40:19 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24279
Commit By: ghudson
Log Message:
For the password quality interface:
* Add a languages argument to the check method to allow localization
of error messages (currently no languages are ever passed, though).
* Add an error code KADM5_PASS_Q_GENERIC.
* In most built-in modules and the combo module, set an error message
with krb5_set_error_message.
Changed Files:
U branches/plugins2/pwqual_combo/combo.c
U branches/plugins2/src/include/krb5/pwqual_plugin.h
U branches/plugins2/src/lib/kadm5/kadm_err.et
U branches/plugins2/src/lib/kadm5/srv/pwqual.c
U branches/plugins2/src/lib/kadm5/srv/pwqual_dict.c
U branches/plugins2/src/lib/kadm5/srv/pwqual_empty.c
U branches/plugins2/src/lib/kadm5/srv/pwqual_hesiod.c
U branches/plugins2/src/lib/kadm5/srv/pwqual_princ.c
Modified: branches/plugins2/pwqual_combo/combo.c
===================================================================
--- branches/plugins2/pwqual_combo/combo.c 2010-08-30 16:28:58 UTC (rev 24278)
+++ branches/plugins2/pwqual_combo/combo.c 2010-08-31 01:40:19 UTC (rev 24279)
@@ -135,7 +135,7 @@
static krb5_error_code
combo_check(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ)
+ krb5_principal princ, const char **languages)
{
combo_moddata dict = (combo_moddata)data;
size_t i, j, len, pwlen;
@@ -153,8 +153,12 @@
continue;
remainder = password + len;
for (i = 0; i < dict->word_count; i++) {
- if (strcasecmp(remainder, dict->word_list[i]) == 0)
+ if (strcasecmp(remainder, dict->word_list[i]) == 0) {
+ krb5_set_error_message(context, KADM5_PASS_Q_DICT,
+ "Password may not be a pair of "
+ "dictionary words");
return KADM5_PASS_Q_DICT;
+ }
}
}
Modified: branches/plugins2/src/include/krb5/pwqual_plugin.h
===================================================================
--- branches/plugins2/src/include/krb5/pwqual_plugin.h 2010-08-30 16:28:58 UTC (rev 24278)
+++ branches/plugins2/src/include/krb5/pwqual_plugin.h 2010-08-31 01:40:19 UTC (rev 24279)
@@ -67,16 +67,24 @@
/*
* Mandatory: Check a password for the principal princ, which has an associated
* password policy named policy_name (or no associated policy if policy_name is
- * NULL). Return one of the following errors if the password check fails:
+ * NULL). The parameter languages, if not NULL, contains a null-terminated
+ * list of client-specified language tags as defined in RFC 5646. The method
+ * should return one of the following errors if the password fails quality
+ * standards:
*
- * - KADM5_PASS_Q_TOOSHORT
- * - KADM5_PASS_Q_CLASS
- * - KADM5_PASS_Q_DICT
+ * - KADM5_PASS_Q_TOOSHORT: password should be longer
+ * - KADM5_PASS_Q_CLASS: password must have more character classes
+ * - KADM5_PASS_Q_DICT: password contains dictionary words
+ * - KADM5_PASS_Q_GENERIC: unspecified quality failure
+ *
+ * The module should also set an extended error message with
+ * krb5_set_error_message(). The message may be localized according to one of
+ * the language tags in languages.
*/
typedef krb5_error_code
(*krb5_pwqual_check_fn)(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ);
+ krb5_principal princ, const char **languages);
/* Optional: Release resources used by module data. */
typedef void
Modified: branches/plugins2/src/lib/kadm5/kadm_err.et
===================================================================
--- branches/plugins2/src/lib/kadm5/kadm_err.et 2010-08-30 16:28:58 UTC (rev 24278)
+++ branches/plugins2/src/lib/kadm5/kadm_err.et 2010-08-31 01:40:19 UTC (rev 24279)
@@ -61,4 +61,5 @@
error_code KADM5_MISSING_KRB5_CONF_PARAMS, "Missing parameters in krb5.conf required for kadmin client"
error_code KADM5_XDR_FAILURE, "XDR encoding error"
error_code KADM5_CANT_RESOLVE, "Cannot resolve network address for admin server in requested realm"
+error_code KADM5_PASS_Q_GENERIC, "Unspecified password quality failure"
end
Modified: branches/plugins2/src/lib/kadm5/srv/pwqual.c
===================================================================
--- branches/plugins2/src/lib/kadm5/srv/pwqual.c 2010-08-30 16:28:58 UTC (rev 24278)
+++ branches/plugins2/src/lib/kadm5/srv/pwqual.c 2010-08-31 01:40:19 UTC (rev 24279)
@@ -111,5 +111,5 @@
krb5_principal princ)
{
return handle->vt.check(context, handle->data, password, policy_name,
- princ);
+ princ, NULL);
}
Modified: branches/plugins2/src/lib/kadm5/srv/pwqual_dict.c
===================================================================
--- branches/plugins2/src/lib/kadm5/srv/pwqual_dict.c 2010-08-30 16:28:58 UTC (rev 24278)
+++ branches/plugins2/src/lib/kadm5/srv/pwqual_dict.c 2010-08-31 01:40:19 UTC (rev 24279)
@@ -214,7 +214,7 @@
static krb5_error_code
dict_check(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ)
+ krb5_principal princ, const char **languages)
{
dict_moddata dict = (dict_moddata)data;
Modified: branches/plugins2/src/lib/kadm5/srv/pwqual_empty.c
===================================================================
--- branches/plugins2/src/lib/kadm5/srv/pwqual_empty.c 2010-08-30 16:28:58 UTC (rev 24278)
+++ branches/plugins2/src/lib/kadm5/srv/pwqual_empty.c 2010-08-31 01:40:19 UTC (rev 24279)
@@ -35,12 +35,15 @@
static krb5_error_code
empty_check(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ)
+ krb5_principal princ, const char **languages)
{
/* Unlike other built-in modules, this one operates even for principals
* with no password policy. */
- if (*password == '\0')
+ if (*password == '\0') {
+ krb5_set_error_message(context, KADM5_PASS_Q_TOOSHORT,
+ "Empty passwords are not allowed");
return KADM5_PASS_Q_TOOSHORT;
+ }
return 0;
}
Modified: branches/plugins2/src/lib/kadm5/srv/pwqual_hesiod.c
===================================================================
--- branches/plugins2/src/lib/kadm5/srv/pwqual_hesiod.c 2010-08-30 16:28:58 UTC (rev 24278)
+++ branches/plugins2/src/lib/kadm5/srv/pwqual_hesiod.c 2010-08-31 01:40:19 UTC (rev 24279)
@@ -94,7 +94,7 @@
static krb5_error_code
hesiod_check(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ)
+ krb5_principal princ, const char **languages)
{
#ifdef HESIOD
extern struct passwd *hes_getpwnam();
@@ -108,12 +108,12 @@
n = krb5_princ_size(handle->context, princ);
for (i = 0; i < n; i++) {
- cp = krb5_princ_component(handle->context, princ, i)->data;
- if (strcasecmp(cp, password) == 0)
- return KADM5_PASS_Q_DICT;
ent = hes_getpwnam(cp);
- if (ent && ent->pw_gecos && str_check_gecos(ent->pw_gecos, password))
+ if (ent && ent->pw_gecos && str_check_gecos(ent->pw_gecos, password)) {
+ krb5_set_error_message(context, KADM5_PASS_Q_DICT,
+ "Password maynot match user information.");
return KADM5_PASS_Q_DICT;
+ }
}
#endif /* HESIOD */
return 0;
Modified: branches/plugins2/src/lib/kadm5/srv/pwqual_princ.c
===================================================================
--- branches/plugins2/src/lib/kadm5/srv/pwqual_princ.c 2010-08-30 16:28:58 UTC (rev 24278)
+++ branches/plugins2/src/lib/kadm5/srv/pwqual_princ.c 2010-08-31 01:40:19 UTC (rev 24279)
@@ -35,7 +35,7 @@
static krb5_error_code
princ_check(krb5_context context, krb5_pwqual_moddata data,
const char *password, const char *policy_name,
- krb5_principal princ)
+ krb5_principal princ, const char **languages)
{
int i, n;
char *cp;
@@ -51,8 +51,11 @@
return KADM5_PASS_Q_DICT;
for (i = 0; i < n; i++) {
cp = krb5_princ_component(handle->context, princ, i)->data;
- if (strcasecmp(cp, password) == 0)
+ if (strcasecmp(cp, password) == 0) {
+ krb5_set_error_message(context, KADM5_PASS_Q_DICT,
+ "Password may not match principal name");
return KADM5_PASS_Q_DICT;
+ }
}
return 0;
More information about the cvs-krb5
mailing list