kadm5: move password quality checks out of daemons and into libkadm5
Note that this has a slight behavior change to c89d3f3b in order to continue
allow kadmin in local mode to bypass password quality checks. Password quality
checks are always bypassed if the *client* kadmin principal is kadmin/admin,
i.e. that of the kadmin service itself. This is the case when running kadmin in
local mode. As this is the equivalent of a superuser account, one would
anticipate that deployments would use specific administrator instances for
appropriate ACLs for day-to-day administration; operations by these will be
subject to password quality checks if enforce_on_admin_set is TRUE, or if the
user is changing their own password.
This commit is contained in:
Luke Howard
committed by
Nico Williams
Nico Williams
parent
62c1790bf5
commit
c6bf100b43
@@ -38,9 +38,6 @@ static kadm5_ret_t check_aliases(kadm5_server_context *,
|
||||
kadm5_principal_ent_rec *,
|
||||
kadm5_principal_ent_rec *);
|
||||
|
||||
static krb5_boolean
|
||||
enforce_pwqual_on_admin_set_p(kadm5_server_context *contextp);
|
||||
|
||||
static kadm5_ret_t
|
||||
kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
|
||||
krb5_data *in, krb5_data *out)
|
||||
@@ -181,24 +178,6 @@ kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
|
||||
}
|
||||
krb5_unparse_name_fixed(contextp->context, ent.principal,
|
||||
name, sizeof(name));
|
||||
if (enforce_pwqual_on_admin_set_p(contextp)) {
|
||||
krb5_data pwd_data;
|
||||
const char *pwd_reason;
|
||||
|
||||
pwd_data.data = password;
|
||||
pwd_data.length = strlen(password);
|
||||
|
||||
pwd_reason = kadm5_check_password_quality (contextp->context,
|
||||
ent.principal, &pwd_data);
|
||||
if (pwd_reason != NULL)
|
||||
ret = KADM5_PASS_Q_DICT;
|
||||
else
|
||||
ret = 0;
|
||||
if (ret) {
|
||||
kadm5_free_principal_ent(kadm_handlep, &ent);
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
|
||||
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_ADD,
|
||||
ent.principal);
|
||||
@@ -354,30 +333,6 @@ kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Change password requests are subject to password quality checks if
|
||||
* the principal is changing their own password, or the enforce_on_admin_set
|
||||
* configuration option is TRUE (the default).
|
||||
*/
|
||||
if (is_self_cpw || enforce_pwqual_on_admin_set_p(contextp)) {
|
||||
krb5_data pwd_data;
|
||||
const char *pwd_reason;
|
||||
|
||||
pwd_data.data = password;
|
||||
pwd_data.length = strlen(password);
|
||||
|
||||
pwd_reason = kadm5_check_password_quality (contextp->context,
|
||||
princ, &pwd_data);
|
||||
if (pwd_reason != NULL)
|
||||
ret = KADM5_PASS_Q_DICT;
|
||||
else
|
||||
ret = 0;
|
||||
if (ret) {
|
||||
krb5_free_principal(contextp->context, princ);
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
||||
ret = kadm5_chpass_principal_3(kadm_handlep, princ, keepold, 0, NULL,
|
||||
password);
|
||||
krb5_free_principal(contextp->context, princ);
|
||||
@@ -874,10 +829,3 @@ kadmind_loop(krb5_context contextp,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_boolean
|
||||
enforce_pwqual_on_admin_set_p(kadm5_server_context *contextp)
|
||||
{
|
||||
return krb5_config_get_bool_default(contextp->context, NULL, TRUE,
|
||||
"password_quality",
|
||||
"enforce_on_admin_set", NULL);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user