oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kadmin: allow enforcing password quality on admin password change

Browse Source 
This patch adds the "enforce_on_admin_set" configuration knob in the
[password_quality] section. When this is enabled, administrative password
changes via the kadmin or kpasswd protocols will be subject to password quality
checks. (An administrative password change is one where the authenticating
principal is different to the principal whose password is being changed.)

Note that kadmin running in local mode (-l) is unaffected by this patch.
This commit is contained in:
Luke Howard
2018-12-24 15:28:32 +11:00
parent 6ce1aa84c5
commit c89d3f3b8c
6 changed files with 103 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
tests/kdc/check-kadmin.in
View File

@@ -59,7 +59,7 @@ kinit="${kinit} -c $cache ${afs_no_afslog}"
kgetcred="${kgetcred} -c $cache"
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
foopassword="foo"
foopassword="fooLongPasswordYo123;"
KRB5_CONFIG="${objdir}/krb5.conf"
export KRB5_CONFIG
@@ -256,6 +256,11 @@ env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} add -p "$foopassword" --use-defaults kaka@${R} ||
{ echo "kadmin failed $?"; cat messages.log ; exit 1; }
echo "kadmin"
env KRB5CCNAME=${cache} \
${kadmin} -p foo/admin@${R} add -p abc --use-defaults kaka@${R} &&
{ echo "kadmin succeeded $?"; cat messages.log ; exit 1; }
#----------------------------------
${kadmind} -d &
kadmpid=$!

10
tests/ldap/check-ldap.in
View File

@@ -54,6 +54,8 @@ kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
foopassword="fooLongPasswordYo123;"
testfailed="echo test failed; exit 1"
KRB5_CONFIG="${objdir}/krb5.conf"
@@ -102,8 +104,8 @@ ${kadmin} \
--realm-max-renewable-life=1month \
${R} || exit 1
${kadmin} add -p foo --use-defaults foo@${R} || exit 1
${kadmin} add -p foo --use-defaults bar@${R} || exit 1
${kadmin} add -p "$foopassword" --use-defaults foo@${R} || exit 1
${kadmin} add -p "$foopassword" --use-defaults bar@${R} || exit 1
${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
${kadmin} cpw --random-password bar@${R} > /dev/null || exit 1
@@ -111,11 +113,11 @@ ${kadmin} cpw --random-password bar@${R} > /dev/null || exit 1
${kadmin} cpw --random-password bar@${R} > /dev/null || exit 1
${kadmin} cpw --random-password suser@${R} > /dev/null|| exit 1
${kadmin} cpw --password=foo suser@${R} || exit 1
${kadmin} cpw --password="$foopassword" suser@${R} || exit 1
${kadmin} list '*' > /dev/null || exit 1
echo foo > ${objdir}/foopassword
echo "$foopassword" > ${objdir}/foopassword
echo Starting kdc
${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; }