moving on top of ourself is simple
[heimdal.git] / lib / kadm5 / check-cracklib.pl
bloba6fbd4c82d494602f6f03ac5c04d3e68787e0b16
1 #!/usr/pkg/bin/perl
3 # Sample password verifier for Heimdals external password
4 # verifier, see the chapter "Password changing" in the the info
5 # documentation for more information about the protocol used.
7 # Three checks
8 # 1. Check that password is not the principal name
9 # 2. Check that the password passes cracklib
10 # 3. Check that password isn't repeated for this principal
12 # The repeat check must be last because some clients ask
13 # twice when getting "no" back and thus the error message
14 # would be wrong.
16 # Prereqs (example versions):
18 # * perl (5.8.5) http://www.perl.org/
19 # * cracklib (2.8.5) http://sourceforge.net/projects/cracklib
20 # * Crypt-Cracklib perlmodule (0.01) http://search.cpan.org/~daniel/
22 # Sample dictionaries:
23 # cracklib-words (1.1) http://sourceforge.net/projects/cracklib
24 # miscfiles (1.4.2) http://directory.fsf.org/miscfiles.html
26 # Configuration for krb5.conf or kdc.conf
28 # [password_quality]
29 # policies = builtin:external-check
30 # external_program = <your-path>/check-cracklib.pl
32 # $Id$
34 use strict;
35 use Crypt::Cracklib;
36 use Digest::MD5;
38 # NEED TO CHANGE THESE TO MATCH YOUR SYSTEM
39 my $database = '/usr/lib/cracklib_dict';
40 my $historydb = '/var/heimdal/historydb';
41 # NEED TO CHANGE THESE TO MATCH YOUR SYSTEM
43 # seconds password reuse allowed (to catch retries from clients)
44 my $reusetime = 60;
46 my %params;
48 sub check_basic
50 my $principal = shift;
51 my $passwd = shift;
53 if ($principal eq $passwd) {
54 return "Principal name as password is not allowed";
56 return "ok";
59 sub check_repeat
61 my $principal = shift;
62 my $passwd = shift;
63 my $result = 'Do not reuse passwords';
64 my %DB;
65 my $md5context = new Digest::MD5;
66 my $timenow = scalar(time());
68 $md5context->reset();
69 $md5context->add($principal, ":", $passwd);
71 my $key=$md5context->hexdigest();
73 dbmopen(%DB,$historydb,0600) or die "Internal: Could not open $historydb";
74 if (!$DB{$key} || ($timenow - $DB{$key} < $reusetime)) {
75 $result = "ok";
76 $DB{$key}=$timenow;
78 dbmclose(%DB) or die "Internal: Could not close $historydb";
79 return $result;
82 sub badpassword
84 my $reason = shift;
85 print "$reason\n";
86 exit 0
89 while (<STDIN>) {
90 last if /^end$/;
91 if (!/^([^:]+): (.+)$/) {
92 die "key value pair not correct: $_";
94 $params{$1} = $2;
97 die "missing principal" if (!defined $params{'principal'});
98 die "missing password" if (!defined $params{'new-password'});
100 my $reason;
102 $reason = check_basic($params{'principal'}, $params{'new-password'});
103 badpassword($reason) if ($reason ne "ok");
105 $reason = fascist_check($params{'new-password'}, $database);
106 badpassword($reason) if ($reason ne "ok");
108 $reason = check_repeat($params{'principal'}, $params{'new-password'});
109 badpassword($reason) if ($reason ne "ok");
111 print "APPROVED\n";
112 exit 0