(kadmind_dispatch): kadm_chpass: require the password to pass the
password quality check in case the user changes the user's own password kadm_chpass_with_key: disallow the user to change it own password to a key, since that password might violate the password quality check. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11626 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
|
||||
* Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
@@ -217,19 +217,36 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
|
||||
|
||||
/*
|
||||
* The change is allowed if at least one of:
|
||||
* a) it's for the principal him/herself and this was an initial ticket
|
||||
|
||||
* a) it's for the principal him/herself and this was an
|
||||
* initial ticket, but then, check with the password quality
|
||||
* function.
|
||||
* b) the user is on the CPW ACL.
|
||||
*/
|
||||
|
||||
if (initial
|
||||
&& krb5_principal_compare (context->context, context->caller,
|
||||
princ))
|
||||
ret = 0;
|
||||
else
|
||||
{
|
||||
krb5_data pwd_data;
|
||||
const char *pwd_reason;
|
||||
|
||||
pwd_data.data = password;
|
||||
pwd_data.length = strlen(password);
|
||||
|
||||
pwd_reason = kadm5_check_password_quality (context->context,
|
||||
princ, &pwd_data);
|
||||
if (pwd_reason != NULL)
|
||||
ret = KADM5_PASS_Q_DICT;
|
||||
else
|
||||
ret = 0;
|
||||
} else
|
||||
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
|
||||
|
||||
if(ret) {
|
||||
krb5_free_principal(context->context, princ);
|
||||
memset(password, 0, strlen(password));
|
||||
free(password);
|
||||
goto fail;
|
||||
}
|
||||
ret = kadm5_chpass_principal(kadm_handle, princ, password);
|
||||
@@ -286,18 +303,11 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
|
||||
krb5_warnx(context->context, "%s: %s %s", client, op, name);
|
||||
|
||||
/*
|
||||
* The change is allowed if at least one of:
|
||||
* a) it's for the principal him/herself and this was an initial ticket
|
||||
* b) the user is on the CPW ACL.
|
||||
* The change is only allowed if the user is on the CPW ACL,
|
||||
* this it to force password quality check on the user.
|
||||
*/
|
||||
|
||||
if (initial
|
||||
&& krb5_principal_compare (context->context, context->caller,
|
||||
princ))
|
||||
ret = 0;
|
||||
else
|
||||
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
|
||||
|
||||
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
|
||||
if(ret) {
|
||||
int16_t dummy = n_key_data;
|
||||
|
||||
|
Reference in New Issue
Block a user