NAME

       krb5_pwcheck,             kadm5_setup_passwd_quality_check,            kadm5_add_passwd_quality_verifier,
       kadm5_check_password_quality — Heimdal warning and error functions

LIBRARY

       Kerberos 5 Library (libkadm5srv, -lkadm5srv)

SYNOPSIS

       #include <kadm5-protos.h>
       #include <kadm5-pwcheck.h>

       void
       kadm5_setup_passwd_quality_check(krb5_context context,                         const char *check_library,
           const char *check_function);

       krb5_error_code
       kadm5_add_passwd_quality_verifier(krb5_context context, const char *check_library);

       const char *
       kadm5_check_password_quality(krb5_context context, krb5_principal principal, krb5_data *pwd_data);

       int
       (*kadm5_passwd_quality_check_func)(krb5_context context,  krb5_principal principal,  krb5_data *password,
           const char *tuning, char *message, size_t length);

DESCRIPTION

       These functions perform the quality check for the heimdal database library.

       There are two versions of the shared object API; the old version (0) is deprecated, but still  supported.
       The  new version (1) supports multiple password quality checking policies in the same shared object.  See
       below for details.

       The password quality checker will run all policies that are  configured  by  the  user.   If  any  policy
       rejects the password, the password will be rejected.

       Policy  names are of the form ‘module-name:policy-name’ or, if the the policy name is unique enough, just
       ‘policy-name’.

IMPLEMENTING A PASSWORD QUALITY CHECKING SHARED OBJECT

       (This refers to the version 1 API only.)

       Module shared objects may conveniently be compiled and linked with libtool(1).  An object needs to export
       a symbol called ‘kadm5_password_verifier’ of the type struct kadm5_pw_policy_verifier.

       Its name and vendor fields should contain the obvious information.  name  must  match  the  ‘module-name’
       portion  of  the  policy  name  (the  part before the colon), if the policy name contains a colon, or the
       policy will not be run.  version should be KADM5_PASSWD_VERSION_V1.

       funcs contains an array of struct kadm5_pw_policy_check_func structures that is terminated with an  entry
       whose  name  component  is  NULL.   The name field of the array must match the ‘policy-name’ portion of a
       policy name (the part after the colon, or the complete policy name if there is no colon) specified by the
       user or the policy will not be run.  The func fields  of  the  array  elements  are  functions  that  are
       exported  by  the  module  to  be  called  to check the password.  They get the following arguments:  the
       Kerberos context, principal, password, a tuning parameter, and a pointer to  a  message  buffer  and  its
       length.   The  tuning parameter for the quality check function is currently always NULL.  If the password
       is acceptable, the function returns zero.  Otherwise it returns non-zero and fills in the message  buffer
       with an appropriate explanation.

RUNNING THE CHECKS

       kadm5_setup_passwd_quality_check  sets  up  type  0  checks.   It  sets  up  all type 0 checks defined in
       krb5.conf(5) if called with the last two arguments null.

       kadm5_add_passwd_quality_verifier sets up type 1 checks.   It  sets  up  all  type  1  tests  defined  in
       krb5.conf(5)  if called with a null second argument.  kadm5_check_password_quality runs the checks in the
       order in which they are defined in krb5.conf(5) and the order in which they occur  in  a  module's  funcs
       array until one returns non-zero.

SEE ALSO

       libtool(1), krb5(3), krb5.conf(5)

HEIMDAL                                         February 29, 2004                               KADM5_PWCHECK(3)