Password changing hook in kadmind

Donn Cave donn at
Fri May 23 18:16:20 EDT 2003

Quoth John Hascall <john at>:
(quoting Sam Hartman)
|> Hi.  I understand that there are various patches out there that add a
|> hook to call some external program during the password changing
|> process either for password synchronization with non-Kerberos
|> solutions or for password quality checking.
| My patch doesn't call a program, it writes a file for each transaction
| which a separate program can deal with.  As I recall there are 4
| points in the kadmin library you need to hook into (create, modify,
| delete principal, change password).  I didn't include any policy
| change hooks because we don't make much use of policies yet.
| I know UMich has done a similar thing.

Same here, we write to disk.  Single file, though.  We hacked ours in
4 places in server_stubs.c, and one in schpw.c.

|> Are any of these patches of sufficient quality that we should look at
|> taking one of them?
| You could probably implement it from scratch just as quick.

True.  My diff is basically six of
 +       if (ret.code == 0)
 +           loguwpw(prime_arg, arg->pass);

We haven't tried to make it any kind of option, so that would be some
extra work.  Our function (loguwpw) does some filesystem locking for
interlock with the external program, I suppose that might be useful
if everyone wanted to use this interface (single plain text disk file)
(big if.)

We get multiple synchronized primary KDC + kadmind hosts out of this.
It is about a non-Kerberos solution, but in a context where integration
adds to the Kerberos part too.

	Donn Cave, University Computing Services, University of Washington
	donn at

More information about the krbdev mailing list