change, further expiration periods are normally controlled by the KDC
configuration or policy.
+ In the Heimdal backend, map password quality errors on account
+ creation or password reset to a generic error. The kadmin protocol
+ doesn't have a mechanism for passing back the rich error message from
+ the password quality check, so all failures use the same error string.
+ Remap it here, since the error message from Heimdal is of dubious
+ accuracy. This will only apply to sites that have patched Heimdal to
+ do password quality checks on administrative operations.
+
kadmin-remctl 3.5 (2013-10-10)
Increase the timeout for initial authentication during a kpasswd
# Disable sending of kadmin's output to our standard output.
$Expect::Log_Stdout = 0;
+# Generic error message used when account creation or password reset fail due
+# to a password quality error. kadmin can't return the rich error message
+# from the password quality check, so we have to collapse all error messages
+# down to a single string.
+our $GENERIC_ERROR = 'password may be vulnerable to attack';
+
# Account used to test password strength.
our $STRENGTH = 'service/password-strength';
if (!eval { $kadmin->createPrincipal ($princdata, $password, 0) }) {
my $error = $@ || "unknown error\n";
+ if ($error =~ /Password is in the password dictionary/) {
+ $error = $GENERIC_ERROR . "\n";
+ }
warn "error: cannot create $principal: $error";
exit 1;
}
eval { $kadmin->changePassword ($principal, $password) };
if ($@) {
my $error = $@ || "unknown error\n";
+ if ($error =~ /Password is in the password dictionary/) {
+ $error = $GENERIC_ERROR . "\n";
+ }
warn "error: cannot change password for $principal: $error\n";
exit 1;
}