logo_kerberos.gif

Difference between revisions of "Projects/Password quality pluggable interface"

From K5Wiki
Jump to: navigation, search
(New page: {{project-review|2010-09-05}} ==Purpose== This project is to create a pluggable interface for password quality checking. This interface will make use of the framework described in [[Pro...)
 
(Interface)
Line 25: Line 25:
   
 
The pluggable interface will have the following methods:
 
The pluggable interface will have the following methods:
  +
  +
/* An abstract type for password quality module data. */
  +
typedef struct krb5_pwqual_moddata_st *krb5_pwqual_moddata;
   
 
/* Optional: Initialize module data. dictfile is the realm's configured
 
/* Optional: Initialize module data. dictfile is the realm's configured

Revision as of 20:08, 27 August 2010

An announcement has been sent to krbdev@mit.edu starting a review of this project. That review will conclude on 2010-09-05.

Comments can be sent to krbdev@mit.edu.


Purpose

This project is to create a pluggable interface for password quality checking. This interface will make use of the framework described in Projects/Plugin_support_improvements.

Scope

Password quality modules will be able to make use of:

  • The realm configured dictionary.
  • The principal name.
  • The new password.
  • The name of the password policy associated with the principal, if any.

To preserve the simplicity of the interface, modules will not have convenient access to:

  • The information in the password policy.
  • The principal's database entry.
  • Current or historical keys used by the principal.

If necessary, modules can look up this information in the KDB by making use of the krb5_context passed to them.

Interface

The pluggable interface will have the following methods:

 /* An abstract type for password quality module data. */
 typedef struct krb5_pwqual_moddata_st *krb5_pwqual_moddata;
 /* Optional: Initialize module data.  dictfile is the realm's configured        
  * dictionary filename. */
 typedef krb5_error_code
 (*krb5_pwqual_open_fn)(krb5_context context, const char *dict_file,
                        krb5_pwqual_moddata *data);
 /*                                                                              
  * Mandatory: Check a password for the principal princ, which has an associated
  * password policy named policy_name (or no associated policy if policy_name is
  * NULL).  Return an error if the password check fails.                         
  */
 typedef krb5_error_code
 (*krb5_pwqual_check_fn)(krb5_context context, krb5_pwqual_moddata data,
                         const char *password, const char *policy_name,
                         krb5_principal princ);
 /* Optional: Release resources used by module data. */
 typedef void
 (*krb5_pwqual_close_fn)(krb5_context context, krb5_pwqual_moddata data);

Built-In Modules

The following modules will replace current built-in mechanisms for checking password quality. These can be disabled through plugin configuration.

  • empty: Prohibits empty passwords, whether or not the principal has a password policy.
  • princ: Prohibits passwords matching components of the principal name. Only operable if the principal has a password policy.
  • hesiod: Prohibits passwords matching the GECOS fields of Hesiod password information for components of the principal name. Only operable if the principal has a password policy and the Kerberos tree was built with Hesiod support.
  • dict: Prohibits passwords matching words in the realm's dictionary file. Only operable if the principal has a password policy and the realm has a configured dictionary file.

Two other built-in mechanisms for checking password policy exist: enforcement of the password policy's minimum length and minimum number of character classes, and checking the new password against the current and historical key information. These mechanisms are out of scope for the pluggable interface.