oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

(kadmind_dispatch): kadm_chpass: require the password to pass the

Browse Source 
password quality check in case the user changes the user's own password
kadm_chpass_with_key: disallow the user to change it own password to a
key, since that password might violate the password quality check.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11626 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2003-01-29 12:33:05 +00:00
parent cb07c3282d
commit 84a8e5c39a
1 changed files with 24 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
kadmin/server.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan * Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden). * (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved. * All rights reserved.
* *
@@ -217,19 +217,36 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
/* /*
* The change is allowed if at least one of: * The change is allowed if at least one of:
* a) it's for the principal him/herself and this was an initial ticket
* a) it's for the principal him/herself and this was an
* initial ticket, but then, check with the password quality
* function.
* b) the user is on the CPW ACL. * b) the user is on the CPW ACL.
*/ */
if (initial if (initial
&& krb5_principal_compare (context->context, context->caller, && krb5_principal_compare (context->context, context->caller,
princ)) princ))
ret = 0; {
else krb5_data pwd_data;
const char *pwd_reason;
pwd_data.data = password;
pwd_data.length = strlen(password);
pwd_reason = kadm5_check_password_quality (context->context,
princ, &pwd_data);
if (pwd_reason != NULL)
ret = KADM5_PASS_Q_DICT;
else
ret = 0;
} else
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
if(ret) { if(ret) {
krb5_free_principal(context->context, princ); krb5_free_principal(context->context, princ);
memset(password, 0, strlen(password));
free(password);
goto fail; goto fail;
} }
ret = kadm5_chpass_principal(kadm_handle, princ, password); ret = kadm5_chpass_principal(kadm_handle, princ, password);
@@ -286,18 +303,11 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
krb5_warnx(context->context, "%s: %s %s", client, op, name); krb5_warnx(context->context, "%s: %s %s", client, op, name);
/* /*
* The change is allowed if at least one of: * The change is only allowed if the user is on the CPW ACL,
* a) it's for the principal him/herself and this was an initial ticket * this it to force password quality check on the user.
* b) the user is on the CPW ACL.
*/ */
if (initial ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
&& krb5_principal_compare (context->context, context->caller,
princ))
ret = 0;
else
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
if(ret) { if(ret) {
int16_t dummy = n_key_data; int16_t dummy = n_key_data;