3 # Sample password verifier for Heimdals external password
4 # verifier, see the chapter "Password changing" in the the info
5 # documentation for more information about the protocol used.
8 # 1. Check that password is not the principal name
9 # 2. Check that the password passes cracklib
10 # 3. Check that password isn't repeated for this principal
12 # The repeat check must be last because some clients ask
13 # twice when getting "no" back and thus the error message
16 # Prereqs (example versions):
18 # * perl (5.8.5) http://www.perl.org/
19 # * cracklib (2.8.5) http://sourceforge.net/projects/cracklib
20 # * Crypt-Cracklib perlmodule (0.01) http://search.cpan.org/~daniel/
22 # Sample dictionaries:
23 # cracklib-words (1.1) http://sourceforge.net/projects/cracklib
24 # miscfiles (1.4.2) http://directory.fsf.org/miscfiles.html
26 # Configuration for krb5.conf or kdc.conf
29 # policies = builtin:external-check
30 # external_program = <your-path>/check-cracklib.pl
38 # NEED TO CHANGE THESE TO MATCH YOUR SYSTEM
39 my $database = '/usr/lib/cracklib_dict';
40 my $historydb = '/var/heimdal/historydb';
41 # NEED TO CHANGE THESE TO MATCH YOUR SYSTEM
47 my $principal = shift;
50 if ($principal eq $passwd) {
51 return "Principal name as password is not allowed";
58 my $principal = shift;
60 my $result = 'Do not reuse passwords';
62 my $md5context = new Digest
::MD5
;
65 $md5context->add($principal, ":", $passwd);
67 my $key=$md5context->hexdigest();
69 dbmopen(%DB,$historydb,0600) or die "Internal: Could not open $historydb";
70 $result = "ok" if (!$DB{$key});
71 $DB{$key}=scalar(time());
72 dbmclose(%DB) or die "Internal: Could not close $historydb";
85 if (!/^([^:]+): (.+)$/) {
86 die "key value pair not correct: $_";
91 die "missing principal" if (!defined $params{'principal'});
92 die "missing password" if (!defined $params{'new-password'});
96 $reason = check_basic
($params{'principal'}, $params{'new-password'});
97 badpassword
($reason) if ($reason ne "ok");
99 $reason = fascist_check
($params{'new-password'}, $database);
100 badpassword
($reason) if ($reason ne "ok");
102 $reason = check_repeat
($params{'principal'}, $params{'new-password'});
103 badpassword
($reason) if ($reason ne "ok");