void
kadm5_setup_passwd_quality_check(
krb5_context context
const char *check_library
const char *check_function
)
krb5_error_code
kadm5_add_passwd_quality_verifier(
krb5_context context
const char *check_library
)
const char *
kadm5_check_password_quality(
krb5_context context
krb5_principal principal
krb5_data *pwd_data
)
int
(*kadm5_passwd_quality_check_func)(
krb5_context context
krb5_principal principal
krb5_data *password
const char *tuning
char *message
size_t length
)
There are two versions of the shared object API; the old version (0) is deprecated, but still supported. The new version (1) supports multiple password quality checking modules in the same shared object. See below for details.
The password quality checker will run over all tests that are configured by the user.
Module names are of the form `vendor:test-name' or, if the the test name is unique enough, just `test-name'.
Module shared objects may conveniently be compiled and linked with
libtool(1).
An object needs to export a symbol called
`kadm5_password_verifier'
of the type
struct kadm5_pw_policy_verifier
.
Its
name
and
vendor
fields should be contain the obvious information and
version
should be
KADM5_PASSWD_VERSION_V1
.
funcs
contains an array of
struct kadm5_pw_policy_check_func
structures that is terminated with an entry whose
name
component is
NULL
.
The
func
Fields of the array elements are functions that are exported by the
module to be called to check the password. They get the following
arguments: the Kerberos context, principal, password, a tuning parameter, and
a pointer to a message buffer and its length. The tuning parameter
for the quality check function is currently always
NULL
.
If the password is acceptable, the function returns zero. Otherwise
it returns non-zero and fills in the message buffer with an
appropriate explanation.
kadm5_add_passwd_quality_verifier
sets up type 1 checks. It sets up all type 1 tests defined in
krb5.conf(5)
if called with a null second argument.
kadm5_check_password_quality
runs the checks in the order in which they are defined in
krb5.conf(5)
and the order in which they occur in a
module's
funcs
array until one returns non-zero.