1 The patches in this directory apply to MIT Kerberos and add to kadmind a
2 plugin API for checking the acceptability of a password before any
3 password (key) change and rejecting the change if the new password is
6 Currently, there is only one patch available:
8 mit-krb5-1.4.4 Built against MIT Kerberos 1.4.4
10 This patch should also apply (with some fuzz) to MIT Kerberos 1.6.
12 More patches against other source trees may be provided in the future.
13 Please let me know if there is a specific version you wish to see a patch
14 for (and even better, let me know if you have a tested patch for a
17 This patch adds to kadmind a configuration option which should be set in
18 the local realm section of kdc.conf. That configuration option is in the
21 pwcheck_plugin = /usr/local/lib/kadmind/passwd_strength.so
23 It passes the value of the existing dict_file configuration option, if
24 any, into the initialization function. If this plugin configuration
25 option is present, the normal password dictionary check in kadmind is
29 Any plugin used with this patch must implement the following three
32 int pwcheck_init(void **context, const char *dictionary)
34 Initialize the plugin. A pointer to any data structure that the
35 plugin needs to initialize can be stored in context. dictionary will
36 be the value of the dict_path configuration option, if set, and NULL
37 otherwise. Returns 0 on success and non-zero on failure.
39 int pwcheck_check(void *context, const char *password,
40 const char *principal, char *errstr, int errstrlen)
42 Called immediately before any password change, at the same point that
43 the existing kadmind dictionary check would be called. context is the
44 pointer set by pwcheck_init(), if any. password is the new password
45 and principal is the principal whose password is being changed, in
46 case the module wants to apply checks based on the username. errstr
47 is a buffer into which failure messages can be stored and errstrlen is
48 the length of that buffer.
50 This function should return 0 for success and non-zero for failure.
51 On failure, some appropriate error message should be written into the
52 errstr buffer (being careful to nul-terminate and not exceed errstrlen
53 bytes including the terminating nul). The return code and the error
54 message will be logged by kadmind but not passed back to the client.
56 If this call fails (returns a non-zero status), the password change is
57 aborted and is not changed in the local KDC database.
59 void pwcheck_close(void *context)
61 Called on kadmind shutdown. This function is responsible for freeing
62 any resources used by the plugin, if any. context is the pointer set