diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
| commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
| tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /third_party/heimdal/lib/kadm5/check-cracklib.pl | |
| parent | Initial commit. (diff) | |
| download | samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip | |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/heimdal/lib/kadm5/check-cracklib.pl')
| -rw-r--r-- | third_party/heimdal/lib/kadm5/check-cracklib.pl | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/kadm5/check-cracklib.pl b/third_party/heimdal/lib/kadm5/check-cracklib.pl new file mode 100644 index 0000000..a6fbd4c --- /dev/null +++ b/third_party/heimdal/lib/kadm5/check-cracklib.pl @@ -0,0 +1,112 @@ +#!/usr/pkg/bin/perl +# +# Sample password verifier for Heimdals external password +# verifier, see the chapter "Password changing" in the the info +# documentation for more information about the protocol used. +# +# Three checks +# 1. Check that password is not the principal name +# 2. Check that the password passes cracklib +# 3. Check that password isn't repeated for this principal +# +# The repeat check must be last because some clients ask +# twice when getting "no" back and thus the error message +# would be wrong. +# +# Prereqs (example versions): +# +# * perl (5.8.5) http://www.perl.org/ +# * cracklib (2.8.5) http://sourceforge.net/projects/cracklib +# * Crypt-Cracklib perlmodule (0.01) http://search.cpan.org/~daniel/ +# +# Sample dictionaries: +# cracklib-words (1.1) http://sourceforge.net/projects/cracklib +# miscfiles (1.4.2) http://directory.fsf.org/miscfiles.html +# +# Configuration for krb5.conf or kdc.conf +# +# [password_quality] +# policies = builtin:external-check +# external_program = <your-path>/check-cracklib.pl +# +# $Id$ + +use strict; +use Crypt::Cracklib; +use Digest::MD5; + +# NEED TO CHANGE THESE TO MATCH YOUR SYSTEM +my $database = '/usr/lib/cracklib_dict'; +my $historydb = '/var/heimdal/historydb'; +# NEED TO CHANGE THESE TO MATCH YOUR SYSTEM + +# seconds password reuse allowed (to catch retries from clients) +my $reusetime = 60; + +my %params; + +sub check_basic +{ + my $principal = shift; + my $passwd = shift; + + if ($principal eq $passwd) { + return "Principal name as password is not allowed"; + } + return "ok"; +} + +sub check_repeat +{ + my $principal = shift; + my $passwd = shift; + my $result = 'Do not reuse passwords'; + my %DB; + my $md5context = new Digest::MD5; + my $timenow = scalar(time()); + + $md5context->reset(); + $md5context->add($principal, ":", $passwd); + + my $key=$md5context->hexdigest(); + + dbmopen(%DB,$historydb,0600) or die "Internal: Could not open $historydb"; + if (!$DB{$key} || ($timenow - $DB{$key} < $reusetime)) { + $result = "ok"; + $DB{$key}=$timenow; + } + dbmclose(%DB) or die "Internal: Could not close $historydb"; + return $result; +} + +sub badpassword +{ + my $reason = shift; + print "$reason\n"; + exit 0 +} + +while (<STDIN>) { + last if /^end$/; + if (!/^([^:]+): (.+)$/) { + die "key value pair not correct: $_"; + } + $params{$1} = $2; +} + +die "missing principal" if (!defined $params{'principal'}); +die "missing password" if (!defined $params{'new-password'}); + +my $reason; + +$reason = check_basic($params{'principal'}, $params{'new-password'}); +badpassword($reason) if ($reason ne "ok"); + +$reason = fascist_check($params{'new-password'}, $database); +badpassword($reason) if ($reason ne "ok"); + +$reason = check_repeat($params{'principal'}, $params{'new-password'}); +badpassword($reason) if ($reason ne "ok"); + +print "APPROVED\n"; +exit 0 |