support output passphrases for copy certificate
[heimdal.git] / lib / kadm5 / check-cracklib.pl
blobe52fc527362a5530fd1f3c1ff3796d00fed12f78
1 #!/usr/pkg/bin/perl
3 # Sample password verifier for Heimdals external password
4 # verifier, see the chapter "Password changing" in the the info
5 # documentation for more information about the protocol used.
7 # Three checks
8 # 1. Check that password is not the principal name
9 # 2. Check that the password passes cracklib
10 # 3. Check that password isn't repeated for this principal
12 # The repeat check must be last because some clients ask
13 # twice when getting "no" back and thus the error message
14 # would be wrong.
16 # Prereqs (example versions):
18 # * perl (5.8.5) http://www.perl.org/
19 # * cracklib (2.8.5) http://sourceforge.net/projects/cracklib
20 # * Crypt-Cracklib perlmodule (0.01) http://search.cpan.org/~daniel/
22 # Sample dictionaries:
23 # cracklib-words (1.1) http://sourceforge.net/projects/cracklib
24 # miscfiles (1.4.2) http://directory.fsf.org/miscfiles.html
26 # Configuration for krb5.conf or kdc.conf
28 # [password_quality]
29 # policies = builtin:external-check
30 # external_program = <your-path>/check-cracklib.pl
32 # $Id$
34 use strict;
35 use Crypt::Cracklib;
36 use Digest::MD5;
38 # NEED TO CHANGE THESE TO MATCH YOUR SYSTEM
39 my $database = '/usr/lib/cracklib_dict';
40 my $historydb = '/var/heimdal/historydb';
41 # NEED TO CHANGE THESE TO MATCH YOUR SYSTEM
43 my %params;
45 sub check_basic
47 my $principal = shift;
48 my $passwd = shift;
50 if ($principal eq $passwd) {
51 return "Principal name as password is not allowed";
53 return "ok";
56 sub check_repeat
58 my $principal = shift;
59 my $passwd = shift;
60 my $result = 'Do not reuse passwords';
61 my %DB;
62 my $md5context = new Digest::MD5;
64 $md5context->reset();
65 $md5context->add($principal, ":", $passwd);
67 my $key=$md5context->hexdigest();
69 dbmopen(%DB,$historydb,0600) or die "Internal: Could not open $historydb";
70 $result = "ok" if (!$DB{$key});
71 $DB{$key}=scalar(time());
72 dbmclose(%DB) or die "Internal: Could not close $historydb";
73 return $result;
76 sub badpassword
78 my $reason = shift;
79 print "$reason\n";
80 exit 0
83 while (<>) {
84 last if /^end$/;
85 if (!/^([^:]+): (.+)$/) {
86 die "key value pair not correct: $_";
88 $params{$1} = $2;
91 die "missing principal" if (!defined $params{'principal'});
92 die "missing password" if (!defined $params{'new-password'});
94 my $reason;
96 $reason = check_basic($params{'principal'}, $params{'new-password'});
97 badpassword($reason) if ($reason ne "ok");
99 $reason = fascist_check($params{'new-password'}, $database);
100 badpassword($reason) if ($reason ne "ok");
102 $reason = check_repeat($params{'principal'}, $params{'new-password'});
103 badpassword($reason) if ($reason ne "ok");
105 print "APPROVED\n";
106 exit 0