1 Patch built against MIT Kerberos 1.4.4. Note that this patch was
2 generated with some other Stanford-local patches applied and therefore may
3 not apply entirely cleanly. I will hopefully have a chance to regenerate
4 a clean patch against a virgin source tarball for a later release.
6 This patch may apply to earlier or later versions but may not and will
9 Note that this patch unconditionally adds -ldl to the link line and will
10 require modification on platforms that use some other library for dlopen
14 Index: krb5-local/src/lib/kadm5/admin.h
15 ===================================================================
16 --- krb5-local.orig/src/lib/kadm5/admin.h 2006-06-06 16:22:39.000000000 -0700
17 +++ krb5-local/src/lib/kadm5/admin.h 2006-06-06 16:29:45.000000000 -0700
18 @@ -227,6 +227,7 @@ typedef struct _kadm5_config_params {
22 + char * pwcheck_plugin;
26 Index: krb5-local/src/lib/kadm5/alt_prof.c
27 ===================================================================
28 --- krb5-local.orig/src/lib/kadm5/alt_prof.c 2006-06-06 16:22:39.000000000 -0700
29 +++ krb5-local/src/lib/kadm5/alt_prof.c 2006-06-06 16:29:45.000000000 -0700
30 @@ -514,7 +514,15 @@ krb5_error_code kadm5_get_config_params(
31 params.mask |= KADM5_CONFIG_DICT_FILE;
32 params.dict_file = svalue;
36 + /* Right now, always get the value for the pwcheck plugin */
37 + hierarchy[2] = "pwcheck_plugin";
38 + if (aprofile && !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
39 + params.pwcheck_plugin = svalue;
41 + params.pwcheck_plugin = NULL;
44 /* Get the value for the kadmind port */
45 if (! (params.mask & KADM5_CONFIG_KADMIND_PORT)) {
46 hierarchy[2] = "kadmind_port";
47 Index: krb5-local/src/lib/kadm5/server_internal.h
48 ===================================================================
49 --- krb5-local.orig/src/lib/kadm5/server_internal.h 2006-06-06 16:22:39.000000000 -0700
50 +++ krb5-local/src/lib/kadm5/server_internal.h 2006-06-06 16:29:45.000000000 -0700
51 @@ -59,7 +59,7 @@ krb5_error_code kdb_iter_entry(kadm5
54 int init_dict(kadm5_config_params *);
55 -int find_word(const char *word);
56 +int find_word(const char *word, const char *princ);
57 void destroy_dict(void);
59 /* XXX this ought to be in libkrb5.a, but isn't */
60 Index: krb5-local/src/lib/kadm5/srv/server_dict.c
61 ===================================================================
62 --- krb5-local.orig/src/lib/kadm5/srv/server_dict.c 2006-06-06 16:22:39.000000000 -0700
63 +++ krb5-local/src/lib/kadm5/srv/server_dict.c 2006-06-06 16:29:45.000000000 -0700
64 @@ -24,11 +24,17 @@ static char *rcsid = "$Header$";
65 #include "adm_proto.h"
67 #include "server_internal.h"
70 static char **word_list = NULL; /* list of word pointers */
71 static char *word_block = NULL; /* actual word data */
72 static unsigned int word_count = 0; /* number of words */
74 +static void *plugin_handle = NULL; /* Library plugin handle */
75 +static int (*d_pwcheck_init)(void **, const char *);
76 +static int (*d_pwcheck_check)(void *, const char *, const char *,
78 +static void (*d_pwcheck_close)(void *);
79 +static void *d_pwcheck_context;
82 * Function: word_compare
83 @@ -86,6 +92,44 @@ int init_dict(kadm5_config_params *param
87 + if (plugin_handle != NULL)
89 + if (params->pwcheck_plugin) {
90 + plugin_handle = dlopen(params->pwcheck_plugin, RTLD_NOW);
92 + if (! plugin_handle) {
93 + krb5_klog_syslog(LOG_ERR, "WARNING: Unable to load plugin "
94 + "\"%s\": %s, continuing without password checking",
95 + params->pwcheck_plugin, dlerror());
98 + d_pwcheck_init = dlsym(plugin_handle, "pwcheck_init");
99 + d_pwcheck_check = dlsym(plugin_handle, "pwcheck_check");
100 + d_pwcheck_close = dlsym(plugin_handle, "pwcheck_close");
102 + if (d_pwcheck_init == NULL || d_pwcheck_check == NULL ||
103 + d_pwcheck_close == NULL) {
104 + krb5_klog_syslog(LOG_ERR, "WARNING: Needed symbols missing in "
105 + "pwcheck plugin, continuing without password "
107 + dlclose(plugin_handle);
108 + plugin_handle = NULL;
112 + if ((*d_pwcheck_init)(&d_pwcheck_context, params->dict_file)) {
113 + krb5_klog_syslog(LOG_ERR, "WARNING: Plugin initialization failed, "
114 + "continuing without password checking.");
115 + dlclose(plugin_handle);
116 + plugin_handle = NULL;
120 + krb5_klog_syslog(LOG_INFO, "Password checking plugin \"%s\" "
121 + "initialized.", params->pwcheck_plugin);
125 if(word_list != NULL && word_block != NULL)
127 if (! (params->mask & KADM5_CONFIG_DICT_FILE)) {
128 @@ -154,10 +198,26 @@ int init_dict(kadm5_config_params *param
132 -find_word(const char *word)
133 +find_word(const char *word, const char *princ)
137 + if (plugin_handle) {
138 + char ret_message[256];
141 + ret_value = (*d_pwcheck_check)(d_pwcheck_context, word, princ,
142 + ret_message, sizeof(ret_message));
145 + krb5_klog_syslog(LOG_INFO, "pwcheck plugin rejected new change: "
146 + "%s", ret_message);
149 + return WORD_NOT_FOUND;
153 if(word_list == NULL || word_block == NULL)
154 return WORD_NOT_FOUND;
155 if ((value = (char **) bsearch(&word, word_list, word_count, sizeof(char *),
156 @@ -189,6 +249,9 @@ find_word(const char *word)
161 + (*d_pwcheck_close)(d_pwcheck_context);
166 Index: krb5-local/src/lib/kadm5/srv/server_misc.c
167 ===================================================================
168 --- krb5-local.orig/src/lib/kadm5/srv/server_misc.c 2006-06-06 16:22:39.000000000 -0700
169 +++ krb5-local/src/lib/kadm5/srv/server_misc.c 2006-06-06 16:29:45.000000000 -0700
170 @@ -129,6 +129,7 @@ passwd_check(kadm5_server_handle_t handl
174 + krb5_error_code ret;
176 extern struct passwd *hes_getpwnam();
178 @@ -159,9 +160,14 @@ passwd_check(kadm5_server_handle_t handl
180 if ((nupper + nlower + ndigit + npunct + nspec) < pol->pw_min_classes)
181 return KADM5_PASS_Q_CLASS;
182 - if((find_word(password) == KADM5_OK))
183 + ret = krb5_unparse_name(handle->context, principal, &cp);
186 + ret = find_word(password, cp);
187 + krb5_free_unparsed_name(handle->context, cp);
188 + if(ret == KADM5_OK) {
189 return KADM5_PASS_Q_DICT;
192 int i, n = krb5_princ_size(handle->context, principal);
193 cp = krb5_princ_realm(handle->context, principal)->data;
194 if (strcasecmp(cp, password) == 0)
195 Index: krb5-local/src/lib/kadm5/Makefile.in
196 ===================================================================
197 --- krb5-local.orig/src/lib/kadm5/Makefile.in 2006-06-06 16:22:39.000000000 -0700
198 +++ krb5-local/src/lib/kadm5/Makefile.in 2006-06-06 16:29:45.000000000 -0700
199 @@ -53,6 +53,8 @@ STLIBOBJS = \
205 HDRDIR=$(BUILDTOP)/include/kadm5
206 HDRS = $(HDRDIR)/adb.h \
208 Index: krb5-local/src/config/pre.in
209 ===================================================================
210 --- krb5-local.orig/src/config/pre.in 2006-06-06 16:31:20.000000000 -0700
211 +++ krb5-local/src/config/pre.in 2006-06-06 16:31:33.000000000 -0700
212 @@ -393,7 +393,7 @@ GSS_LIBS = $(GSS_KRB5_LIB)
213 GSSRPC_LIBS = -lgssrpc $(GSS_LIBS)
214 KADM_COMM_LIBS = $(GSSRPC_LIBS)
215 # need fixing if ever used on Mac OS X!
216 -KADMSRV_LIBS = -lkadm5srv $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS)
217 +KADMSRV_LIBS = -lkadm5srv $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS) -ldl
218 KADMCLNT_LIBS = -lkadm5clnt $(KADM_COMM_LIBS)
220 # need fixing if ever used on Mac OS X!