| 1 | .\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan
|
|---|
| 2 | .\" (Royal Institute of Technology, Stockholm, Sweden).
|
|---|
| 3 | .\" All rights reserved.
|
|---|
| 4 | .\"
|
|---|
| 5 | .\" Redistribution and use in source and binary forms, with or without
|
|---|
| 6 | .\" modification, are permitted provided that the following conditions
|
|---|
| 7 | .\" are met:
|
|---|
| 8 | .\"
|
|---|
| 9 | .\" 1. Redistributions of source code must retain the above copyright
|
|---|
| 10 | .\" notice, this list of conditions and the following disclaimer.
|
|---|
| 11 | .\"
|
|---|
| 12 | .\" 2. Redistributions in binary form must reproduce the above copyright
|
|---|
| 13 | .\" notice, this list of conditions and the following disclaimer in the
|
|---|
| 14 | .\" documentation and/or other materials provided with the distribution.
|
|---|
| 15 | .\"
|
|---|
| 16 | .\" 3. Neither the name of the Institute nor the names of its contributors
|
|---|
| 17 | .\" may be used to endorse or promote products derived from this software
|
|---|
| 18 | .\" without specific prior written permission.
|
|---|
| 19 | .\"
|
|---|
| 20 | .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|---|
| 21 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|---|
| 22 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|---|
| 23 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|---|
| 24 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|---|
| 25 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|---|
| 26 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|---|
| 27 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|---|
| 28 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|---|
| 29 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|---|
| 30 | .\" SUCH DAMAGE.
|
|---|
| 31 | .\"
|
|---|
| 32 | .\" $Id$
|
|---|
| 33 | .\"
|
|---|
| 34 | .Dd February 29, 2004
|
|---|
| 35 | .Dt KADM5_PWCHECK 3
|
|---|
| 36 | .Os HEIMDAL
|
|---|
| 37 | .Sh NAME
|
|---|
| 38 | .Nm krb5_pwcheck ,
|
|---|
| 39 | .Nm kadm5_setup_passwd_quality_check ,
|
|---|
| 40 | .Nm kadm5_add_passwd_quality_verifier ,
|
|---|
| 41 | .Nm kadm5_check_password_quality
|
|---|
| 42 | .Nd Heimdal warning and error functions
|
|---|
| 43 | .Sh LIBRARY
|
|---|
| 44 | Kerberos 5 Library (libkadm5srv, -lkadm5srv)
|
|---|
| 45 | .Sh SYNOPSIS
|
|---|
| 46 | .In kadm5-protos.h
|
|---|
| 47 | .In kadm5-pwcheck.h
|
|---|
| 48 | .Ft void
|
|---|
| 49 | .Fo kadm5_setup_passwd_quality_check
|
|---|
| 50 | .Fa "krb5_context context"
|
|---|
| 51 | .Fa "const char *check_library"
|
|---|
| 52 | .Fa "const char *check_function"
|
|---|
| 53 | .Fc
|
|---|
| 54 | .Ft "krb5_error_code"
|
|---|
| 55 | .Fo kadm5_add_passwd_quality_verifier
|
|---|
| 56 | .Fa "krb5_context context"
|
|---|
| 57 | .Fa "const char *check_library"
|
|---|
| 58 | .Fc
|
|---|
| 59 | .Ft "const char *"
|
|---|
| 60 | .Fo kadm5_check_password_quality
|
|---|
| 61 | .Fa "krb5_context context"
|
|---|
| 62 | .Fa "krb5_principal principal"
|
|---|
| 63 | .Fa "krb5_data *pwd_data"
|
|---|
| 64 | .Fc
|
|---|
| 65 | .Ft int
|
|---|
| 66 | .Fo "(*kadm5_passwd_quality_check_func)"
|
|---|
| 67 | .Fa "krb5_context context"
|
|---|
| 68 | .Fa "krb5_principal principal"
|
|---|
| 69 | .Fa "krb5_data *password"
|
|---|
| 70 | .Fa "const char *tuning"
|
|---|
| 71 | .Fa "char *message"
|
|---|
| 72 | .Fa "size_t length"
|
|---|
| 73 | .Fc
|
|---|
| 74 | .Sh DESCRIPTION
|
|---|
| 75 | These functions perform the quality check for the heimdal database
|
|---|
| 76 | library.
|
|---|
| 77 | .Pp
|
|---|
| 78 | There are two versions of the shared object API; the old version (0)
|
|---|
| 79 | is deprecated, but still supported. The new version (1) supports
|
|---|
| 80 | multiple password quality checking policies in the same shared object.
|
|---|
| 81 | See below for details.
|
|---|
| 82 | .Pp
|
|---|
| 83 | The password quality checker will run all policies that are
|
|---|
| 84 | configured by the user. If any policy rejects the password, the password
|
|---|
| 85 | will be rejected.
|
|---|
| 86 | .Pp
|
|---|
| 87 | Policy names are of the form
|
|---|
| 88 | .Ql module-name:policy-name
|
|---|
| 89 | or, if the the policy name is unique enough, just
|
|---|
| 90 | .Ql policy-name .
|
|---|
| 91 | .Sh IMPLEMENTING A PASSWORD QUALITY CHECKING SHARED OBJECT
|
|---|
| 92 | (This refers to the version 1 API only.)
|
|---|
| 93 | .Pp
|
|---|
| 94 | Module shared objects may conveniently be compiled and linked with
|
|---|
| 95 | .Xr libtool 1 .
|
|---|
| 96 | An object needs to export a symbol called
|
|---|
| 97 | .Ql kadm5_password_verifier
|
|---|
| 98 | of the type
|
|---|
| 99 | .Ft "struct kadm5_pw_policy_verifier" .
|
|---|
| 100 | .Pp
|
|---|
| 101 | Its
|
|---|
| 102 | .Ft name
|
|---|
| 103 | and
|
|---|
| 104 | .Ft vendor
|
|---|
| 105 | fields should contain the obvious information.
|
|---|
| 106 | .Ft name
|
|---|
| 107 | must match the
|
|---|
| 108 | .Ql module-name
|
|---|
| 109 | portion of the policy name (the part before the colon), if the policy name
|
|---|
| 110 | contains a colon, or the policy will not be run.
|
|---|
| 111 | .Ft version
|
|---|
| 112 | should be
|
|---|
| 113 | .Dv KADM5_PASSWD_VERSION_V1 .
|
|---|
| 114 | .Pp
|
|---|
| 115 | .Ft funcs
|
|---|
| 116 | contains an array of
|
|---|
| 117 | .Ft "struct kadm5_pw_policy_check_func"
|
|---|
| 118 | structures that is terminated with an entry whose
|
|---|
| 119 | .Ft name
|
|---|
| 120 | component is
|
|---|
| 121 | .Dv NULL .
|
|---|
| 122 | The
|
|---|
| 123 | .Ft name
|
|---|
| 124 | field of the array must match the
|
|---|
| 125 | .Ql policy-name
|
|---|
| 126 | portion of a policy name (the part after the colon, or the complete policy
|
|---|
| 127 | name if there is no colon) specified by the user or the policy will not be
|
|---|
| 128 | run. The
|
|---|
| 129 | .Ft func
|
|---|
| 130 | fields of the array elements are functions that are exported by the
|
|---|
| 131 | module to be called to check the password. They get the following
|
|---|
| 132 | arguments: the Kerberos context, principal, password, a tuning parameter, and
|
|---|
| 133 | a pointer to a message buffer and its length. The tuning parameter
|
|---|
| 134 | for the quality check function is currently always
|
|---|
| 135 | .Dv NULL .
|
|---|
| 136 | If the password is acceptable, the function returns zero. Otherwise
|
|---|
| 137 | it returns non-zero and fills in the message buffer with an
|
|---|
| 138 | appropriate explanation.
|
|---|
| 139 | .Sh RUNNING THE CHECKS
|
|---|
| 140 | .Nm kadm5_setup_passwd_quality_check
|
|---|
| 141 | sets up type 0 checks. It sets up all type 0 checks defined in
|
|---|
| 142 | .Xr krb5.conf 5
|
|---|
| 143 | if called with the last two arguments null.
|
|---|
| 144 | .Pp
|
|---|
| 145 | .Nm kadm5_add_passwd_quality_verifier
|
|---|
| 146 | sets up type 1 checks. It sets up all type 1 tests defined in
|
|---|
| 147 | .Xr krb5.conf 5
|
|---|
| 148 | if called with a null second argument.
|
|---|
| 149 | .Nm kadm5_check_password_quality
|
|---|
| 150 | runs the checks in the order in which they are defined in
|
|---|
| 151 | .Xr krb5.conf 5
|
|---|
| 152 | and the order in which they occur in a
|
|---|
| 153 | module's
|
|---|
| 154 | .Ft funcs
|
|---|
| 155 | array until one returns non-zero.
|
|---|
| 156 | .Sh SEE ALSO
|
|---|
| 157 | .Xr libtool 1 ,
|
|---|
| 158 | .Xr krb5 3 ,
|
|---|
| 159 | .Xr krb5.conf 5
|
|---|
