NAME¶
krb5_pwcheck
,
kadm5_setup_passwd_quality_check
,
kadm5_add_passwd_quality_verifier
,
kadm5_check_password_quality
—
Heimdal warning and error functions
LIBRARY¶
Kerberos 5 Library (libkadm5srv, -lkadm5srv)
SYNOPSIS¶
#include
<kadm5-protos.h>
#include
<kadm5-pwcheck.h>
void
kadm5_setup_passwd_quality_check
(
krb5_context
context,
const char *check_library,
const char *check_function);
krb5_error_code
kadm5_add_passwd_quality_verifier
(
krb5_context
context,
const char *check_library);
const char *
kadm5_check_password_quality
(
krb5_context
context,
krb5_principal principal,
krb5_data *pwd_data);
int
(*kadm5_passwd_quality_check_func)
(
krb5_context
context,
krb5_principal principal,
krb5_data *password,
const char *tuning,
char *message,
size_t length);
DESCRIPTION¶
These functions perform the quality check for the heimdal database library.
There are two versions of the shared object API; the old version (0) is
deprecated, but still supported. The new version (1) supports multiple
password quality checking policies in the same shared object. See below for
details.
The password quality checker will run all policies that are configured by the
user. If any policy rejects the password, the password will be rejected.
Policy names are of the form
‘
module-name:policy-name
’ or, if the the
policy name is unique enough, just
‘
policy-name
’.
IMPLEMENTING A PASSWORD QUALITY CHECKING SHARED OBJECT¶
(This refers to the version 1 API only.)
Module shared objects may conveniently be compiled and linked with
libtool(1). An object needs to export a symbol
called ‘
kadm5_password_verifier
’ of the
type
struct kadm5_pw_policy_verifier.
Its
name and
vendor fields should contain the obvious
information.
name must match the
‘
module-name
’ portion of the policy name
(the part before the colon), if the policy name contains a colon, or the
policy will not be run.
version should be
KADM5_PASSWD_VERSION_V1
.
funcs contains an array of
struct kadm5_pw_policy_check_func structures
that is terminated with an entry whose
name
component is
NULL
. The
name field of the array must match the
‘
policy-name
’ portion of a policy name
(the part after the colon, or the complete policy name if there is no colon)
specified by the user or the policy will not be run. The
func fields of the array elements are
functions that are exported by the module to be called to check the password.
They get the following arguments: the Kerberos context, principal, password, a
tuning parameter, and a pointer to a message buffer and its length. The tuning
parameter for the quality check function is currently always
NULL
. If the password is acceptable, the
function returns zero. Otherwise it returns non-zero and fills in the message
buffer with an appropriate explanation.
RUNNING THE CHECKS¶
kadm5_setup_passwd_quality_check
sets up type
0 checks. It sets up all type 0 checks defined in
krb5.conf(5) if called with the last two
arguments null.
kadm5_add_passwd_quality_verifier
sets up
type 1 checks. It sets up all type 1 tests defined in
krb5.conf(5) if called with a null second
argument.
kadm5_check_password_quality
runs
the checks in the order in which they are defined in
krb5.conf(5) and the order in which they occur in
a module's
funcs array until one returns
non-zero.
SEE ALSO¶
libtool(1),
krb5(3),
krb5.conf(5)