Fix and clarify password quality check examples.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15108 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-05-09 19:35:51 +00:00
parent 84e8f91f02
commit b1624b36a0

View File

@@ -386,18 +386,21 @@ to guess them and to avoid off-line attacks (although
pre-authentication provides
some defense against off-line attacks). To ensure that the users choose
good passwords, you can enable password quality controls in
@command{kpasswdd} and @command{kadmind}. The controls themselves are done in a shared libraries or an external program that is used by @command{kpasswdd}. To configure in these controls, add
@command{kpasswdd} and @command{kadmind}. The controls themselves are
done in a shared library or an external program that is used by
@command{kpasswdd}. To configure in these controls, add
lines similar to the following to your @file{/etc/krb5.conf}:
@example
[password_quality]
policies = external-check builtin:minimum-length module:policyname
external-program = /bin/false
policy-libraries = @var{library1.so} @var{library2.so}
external_program = /bin/false
policy_libraries = @var{library1.so} @var{library2.so}
@end example
In @samp{[password_quality]:policies} the module name is optional if
the policy name is unique in all modules.
In @samp{[password_quality]policies} the module name is optional if
the policy name is unique in all modules (members of
@samp{policy_libraries}).
The builtin polices are
@@ -407,16 +410,23 @@ The builtin polices are
Executes the program specified by @samp{[password_quality]external_program}.
As input to the command a number of key: value pair is passed in on
each line ending with the string ``end''.
A number of key/value pairs is passed as input to the program, one per
line, ending with the string @samp{end}. The key/value lines are of
the form
@example
principal: @var{principal}
new-password: @var{password}
@end example
where @var{password} is the password to check for the previous
@var{principal}.
If the external application approves the password ``APPROVED'' must be
returne on standard out and exit with exit-code 0. If the program
doesn't approved the password, a one line error explaining the problem
should be returned on standard error and the application should exit
with a exit-code 0. In case of a fatal error, the application should
if possible print an error on stderr and exit with a non zero error
code.
If the external application approves the password, it should return
@samp{APPROVED} on standard out and exit with exit code 0. If it
doesn't approve the password, a one line error message explaining the
problem should be returned on standard error and the application
should exit with exit code 0. In case of a fatal error, the
application should, if possible, print an error message on standard
error and exit with a non-zero error code.
@item minimum-length