1KADM5_PWCHECK(3) BSD Library Functions Manual KADM5_PWCHECK(3)
2
4 krb5_pwcheck, kadm5_setup_passwd_quality_check,
5 kadm5_add_passwd_quality_verifier, kadm5_check_password_quality — Heimdal
6 warning and error functions
7
9 Kerberos 5 Library (libkadm5srv, -lkadm5srv)
10
12 #include <kadm5-protos.h>
13 #include <kadm5-pwcheck.h>
14 void
16 kadm5_setup_passwd_quality_check(krb5_context context,
17 const char *check_library, const char *check_function);
18 krb5_error_code
20 kadm5_add_passwd_quality_verifier(krb5_context context,
21 const char *check_library);
22 const char *
24 kadm5_check_password_quality(krb5_context context,
25 krb5_principal principal, krb5_data *pwd_data);
26 int
28 (*kadm5_passwd_quality_check_func)(krb5_context context,
29 krb5_principal principal, krb5_data *password, const char *tuning,
30 char *message, size_t length);
31
33 These functions perform the quality check for the heimdal database
34 library.
35 There are two versions of the shared object API; the old version (0) is
37 deprecated, but still supported. The new version (1) supports multiple
38 password quality checking policies in the same shared object. See below
39 for details.
40 The password quality checker will run all policies that are configured by
42 the user. If any policy rejects the password, the password will be
43 rejected.
44 Policy names are of the form ‘module-name:policy-name’ or, if the the
46 policy name is unique enough, just ‘policy-name’.
47
49 (This refers to the version 1 API only.)
50 Module shared objects may conveniently be compiled and linked with
52 libtool(1). An object needs to export a symbol called
53 ‘kadm5_password_verifier’ of the type struct kadm5_pw_policy_verifier.
54 Its name and vendor fields should contain the obvious information. name
56 must match the ‘module-name’ portion of the policy name (the part before
57 the colon), if the policy name contains a colon, or the policy will not
58 be run. version should be KADM5_PASSWD_VERSION_V1.
59 funcs contains an array of struct kadm5_pw_policy_check_func structures
61 that is terminated with an entry whose name component is NULL. The name
62 field of the array must match the ‘policy-name’ portion of a policy name
63 (the part after the colon, or the complete policy name if there is no
64 colon) specified by the user or the policy will not be run. The func
65 fields of the array elements are functions that are exported by the mod‐
66 ule to be called to check the password. They get the following argu‐
67 ments: the Kerberos context, principal, password, a tuning parameter,
68 and a pointer to a message buffer and its length. The tuning parameter
69 for the quality check function is currently always NULL. If the password
70 is acceptable, the function returns zero. Otherwise it returns non-zero
71 and fills in the message buffer with an appropriate explanation.
72
74 kadm5_setup_passwd_quality_check sets up type 0 checks. It sets up all
75 type 0 checks defined in krb5.conf(5) if called with the last two argu‐
76 ments null.
77 kadm5_add_passwd_quality_verifier sets up type 1 checks. It sets up all
79 type 1 tests defined in krb5.conf(5) if called with a null second argu‐
80 ment. kadm5_check_password_quality runs the checks in the order in which
81 they are defined in krb5.conf(5) and the order in which they occur in a
82 module's funcs array until one returns non-zero.
83
85 libtool(1), krb5(3), krb5.conf(5)
86HEIMDAL February 29, 2004 HEIMDAL