From daf508650e311ee6badfd12ecfdc28a13bfa6ea7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Fri, 15 Apr 2005 11:46:50 +0000 Subject: [PATCH] document new password policy code git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14805 ec53bebd-3082-4978-b11e-865c3cabbd6b --- doc/setup.texi | 61 ++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 47 insertions(+), 14 deletions(-) diff --git a/doc/setup.texi b/doc/setup.texi index 282a70b4b..71b0e3296 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -386,28 +386,58 @@ to guess them and to avoid off-line attacks (although pre-authentication provides some defense against off-line attacks). To ensure that the users choose good passwords, you can enable password quality controls in -@command{kpasswdd}. The controls themselves are done in a shared library -that is used by @command{kpasswdd}. To configure in these controls, add +@command{kpasswdd} and @command{kadmind}. The controls themselves are done in a shared libraries or an external program that is used by @command{kpasswdd}. To configure in these controls, add lines similar to the following to your @file{/etc/krb5.conf}: @example [password_quality] - check_library = @var{library} - check_function = @var{function} + policies = external-check builtin:minimum-length module:policyname + external-program = /bin/false + policy-libraries = @var{library1.so} @var{library2.so} @end example -The function @var{function} in the shared library @var{library} will be -called for proposed new passwords. The function should be declared as: +In @samp{[password_quality]:policies} the module name is optional if +the policy name is unique in all modules. -@example -const char * -function(krb5_context context, krb5_principal principal, krb5_data *pwd); -@end example +The builtin polices are -The function should verify that @var{pwd} is a good password for -@var{principal}, and if so return @code{NULL}. If it is deemed to be of -low quality, it should return a string explaining why that password -should not be used. +@itemize @bullet + +@item external-check + +Executes the program specified by @samp{[password_quality]external_program}. + +As input to the command a number of key: value pair is passed in on +each line ending with the string ``end''. + +If the external application approves the password ``APPROVED'' must be +returne on standard out and exit with exit-code 0. If the program +doesn't approved the password, a one line error explaining the problem +should be returned on standard error and the application should exit +with a exit-code 0. In case of a fatal error, the application should +if possible print an error on stderr and exit with a non zero error +code. + +@item minimum-length + +The minimum length password quality check reads the configuration file +stanza @samp{[password_quality]min_length} and requires the password +to be at least this length. + +@item character-class + +The character-class password quality check reads the configuration +file stanza @samp{[password_quality]min_classes}. The policy requires +the password to have characters from at least that many characters +classes. Default value if not given is 3. + +The four diffrent characters classes are, uppercase, lowercase, +number, special characters. + +@end itemize + +If you want to write you own shared object that checks password +policies, see the manual page @manpage{kadm5_pwcheck,3}. Code for a password quality checking function that uses the cracklib library can be found in @file{lib/kadm5/sample_password_check.c} in the @@ -415,6 +445,9 @@ source code distribution. It requires the cracklib library built with the patch available at @url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}. +A sample policy external program is included in +@file{lib/kadm5/check-cracklib.pl}. + If no password quality checking function is configured, it is only verified that it is at least six characters long.