1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /*
3 * Copyright (C) 2010 by the Massachusetts Institute of Technology.
4 * All rights reserved.
5 *
6 * Export of this software from the United States of America may
7 * require a specific license from the United States Government.
8 * It is the responsibility of any person or organization contemplating
9 * export to obtain such a license before exporting.
10 *
11 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
12 * distribute this software and its documentation for any purpose and
13 * without fee is hereby granted, provided that the above copyright
14 * notice appear in all copies and that both that copyright notice and
15 * this permission notice appear in supporting documentation, and that
16 * the name of M.I.T. not be used in advertising or publicity pertaining
17 * to distribution of the software without specific, written prior
18 * permission. Furthermore if you modify this software you must label
19 * your software as modified software and not distribute it in such a
20 * fashion that it might be confused with the original M.I.T. software.
21 * M.I.T. makes no representations about the suitability of
22 * this software for any purpose. It is provided "as is" without express
23 * or implied warranty.
24 */
25 /*
26 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
27 */
28
29 #include "k5-int.h"
30 #include <kdb.h>
31 #include <ctype.h>
32 #include <pwd.h>
33 #include <syslog.h>
34 #include "server_internal.h"
35 #include <adm_proto.h>
36
37 kadm5_ret_t
init_pwqual(kadm5_server_handle_t handle)38 init_pwqual(kadm5_server_handle_t handle)
39 {
40 krb5_error_code ret;
41 pwqual_handle *list;
42 const char *dict_file = NULL;
43
44 /* Register the built-in password quality modules. */
45 ret = k5_plugin_register(handle->context, PLUGIN_INTERFACE_PWQUAL,
46 "dict", pwqual_dict_initvt);
47 if (ret != 0)
48 return ret;
49 ret = k5_plugin_register(handle->context, PLUGIN_INTERFACE_PWQUAL,
50 "empty", pwqual_empty_initvt);
51 if (ret != 0)
52 return ret;
53 ret = k5_plugin_register(handle->context, PLUGIN_INTERFACE_PWQUAL,
54 "hesiod", pwqual_hesiod_initvt);
55 if (ret != 0)
56 return ret;
57 ret = k5_plugin_register(handle->context, PLUGIN_INTERFACE_PWQUAL,
58 "princ", pwqual_princ_initvt);
59 if (ret != 0)
60 return ret;
61
62 /* Load all available password quality modules. */
63 if (handle->params.mask & KADM5_CONFIG_DICT_FILE)
64 dict_file = handle->params.dict_file;
65 ret = k5_pwqual_load(handle->context, dict_file, &list);
66 if (ret != 0)
67 return ret;
68
69 handle->qual_handles = list;
70 return 0;
71 }
72
73 /* Check that a password meets the quality constraints given in pol. */
74 static kadm5_ret_t
check_against_policy(kadm5_server_handle_t handle,const char * password,kadm5_policy_ent_t pol)75 check_against_policy(kadm5_server_handle_t handle, const char *password,
76 kadm5_policy_ent_t pol)
77 {
78 int hasupper = 0, haslower = 0, hasdigit = 0, haspunct = 0, hasspec = 0;
79 int c, nclasses;
80
81 /* Check against the policy's minimum length. */
82 if (strlen(password) < (size_t)pol->pw_min_length)
83 return KADM5_PASS_Q_TOOSHORT;
84
85 /* Check against the policy's minimum number of character classes. */
86 while ((c = (unsigned char)*password++) != '\0') {
87 if (islower(c))
88 haslower = 1;
89 else if (isupper(c))
90 hasupper = 1;
91 else if (isdigit(c))
92 hasdigit = 1;
93 else if (ispunct(c))
94 haspunct = 1;
95 else
96 hasspec = 1;
97 }
98 nclasses = hasupper + haslower + hasdigit + haspunct + hasspec;
99 if (nclasses < pol->pw_min_classes)
100 return KADM5_PASS_Q_CLASS;
101 return KADM5_OK;
102 }
103
104 /* Check a password against all available password quality plugin modules
105 * and against policy. */
106 kadm5_ret_t
passwd_check(kadm5_server_handle_t handle,const char * password,kadm5_policy_ent_t policy,krb5_principal princ)107 passwd_check(kadm5_server_handle_t handle, const char *password,
108 kadm5_policy_ent_t policy, krb5_principal princ)
109 {
110 krb5_error_code ret;
111 pwqual_handle *h;
112 const char *polname = (policy == NULL) ? NULL : policy->policy;
113
114 if (policy != NULL) {
115 ret = check_against_policy(handle, password, policy);
116 if (ret != 0)
117 return ret;
118 }
119 for (h = handle->qual_handles; *h != NULL; h++) {
120 ret = k5_pwqual_check(handle->context, *h, password, polname, princ);
121 if (ret != 0) {
122 const char *e = krb5_get_error_message(handle->context, ret);
123 const char *modname = k5_pwqual_name(handle->context, *h);
124 char *princname;
125 if (krb5_unparse_name(handle->context, princ, &princname) != 0)
126 princname = NULL;
127 krb5_klog_syslog(LOG_ERR,
128 _("password quality module %s rejected password "
129 "for %s: %s"), modname,
130 princname ? princname : "(can't unparse)", e);
131 krb5_free_error_message(handle->context, e);
132 free(princname);
133 return ret;
134 }
135 }
136 return 0;
137 }
138
139 void
destroy_pwqual(kadm5_server_handle_t handle)140 destroy_pwqual(kadm5_server_handle_t handle)
141 {
142 k5_pwqual_free_handles(handle->context, handle->qual_handles);
143 handle->qual_handles = NULL;
144 }
145
146 kadm5_ret_t
kadm5_get_privs(void * server_handle,long * privs)147 kadm5_get_privs(void *server_handle, long *privs)
148 {
149 CHECK_HANDLE(server_handle);
150
151 /* this is impossible to do with the current interface. For now,
152 return all privs, which will confuse some clients, but not
153 deny any access to users of "smart" clients which try to cache */
154
155 *privs = ~0;
156
157 return KADM5_OK;
158 }
159