Adding a krb5_get_change_password_message() function?
Stef Walter
stefw at gnome.org
Wed Apr 25 07:43:49 EDT 2012
The data returned by krb5_change_password() in its *result_string
argument is sometimes a utf-8 string, and sometimes a data structure.
In particular, AD returns the following structure (also seen in
winbind). Looks like even though MS wrote the RFC on kerberos change
password, they don't follow it :(
PolicyInfo { /* all in network byte order */
uint16 zero_bytes; /* so that structure is not read as string */
uint32 min_length_password;
uint32 password_history;
uint32 password_properties; /* see defines below */
uint64 expire; /* in seconds * 10,000,000 */
uint64 min_passwordage; /* in seconds * 10,000,000 */
};
#define PASSWORD_COMPLEX 0x00000001
#define PASSWORD_NO_ANON_CHANGE 0x00000002
#define PASSWORD_NO_CLEAR_CHANGE 0x00000004
#define PASSWORD_LOCKOUT_ADMINS 0x00000008
#define PASSWORD_STORE_CLEARTEXT 0x00000010
#define REFUSE_PASSWORD_CHANGE 0x00000020
I was wondering if we want to add a krb5_get_change_password_message()
which changes the result_string returned from krb5_change_password()
into a displayable message explaining to the user more info about the
password rejection and policy requirements?
If it is already utf-8 data, then krb5_get_change_password_message()
would null-terminate it correctly and return it. If it's another
structure that we recognize, krb5_get_change_password_message() could
format a useful message from it.
WDYT? It seems krb5 has lots of other interop stuff. Would this fit in
as well?
Cheers,
Stef
More information about the krbdev
mailing list