NAME

     krb5_pwcheck, kadm5_setup_passwd_quality_check, kadm5_add_passwd_quality_verifier,
     kadm5_check_password_quality — Heimdal warning and error functions

LIBRARY

     Kerberos 5 Library (libkadm5srv, -lkadm5srv)

SYNOPSIS

     #include <kadm5-protos.h>
     #include <kadm5-pwcheck.h>

     void
     kadm5_setup_passwd_quality_check(krb5_context context, const char *check_library,
         const char *check_function);

     krb5_error_code
     kadm5_add_passwd_quality_verifier(krb5_context context, const char *check_library);

     const char *
     kadm5_check_password_quality(krb5_context context, krb5_principal principal,
         krb5_data *pwd_data);

     int
     (*kadm5_passwd_quality_check_func)(krb5_context context, krb5_principal principal,
         krb5_data *password, const char *tuning, char *message, size_t length);

DESCRIPTION

     These functions perform the quality check for the heimdal database library.

     There are two versions of the shared object API; the old version (0) is deprecated, but
     still supported.  The new version (1) supports multiple password quality checking policies
     in the same shared object.  See below for details.

     The password quality checker will run all policies that are configured by the user.  If any
     policy rejects the password, the password will be rejected.

     Policy names are of the form ‘module-name:policy-name’ or, if the the policy name is unique
     enough, just ‘policy-name’.

IMPLEMENTING A PASSWORD QUALITY CHECKING SHARED OBJECT

     (This refers to the version 1 API only.)

     Module shared objects may conveniently be compiled and linked with libtool(1).  An object
     needs to export a symbol called ‘kadm5_password_verifier’ of the type struct
     kadm5_pw_policy_verifier.

     Its name and vendor fields should contain the obvious information.  name must match the
     ‘module-name’ portion of the policy name (the part before the colon), if the policy name
     contains a colon, or the policy will not be run.  version should be KADM5_PASSWD_VERSION_V1.

     funcs contains an array of struct kadm5_pw_policy_check_func structures that is terminated
     with an entry whose name component is NULL.  The name field of the array must match the
     ‘policy-name’ portion of a policy name (the part after the colon, or the complete policy
     name if there is no colon) specified by the user or the policy will not be run.  The func
     fields of the array elements are functions that are exported by the module to be called to
     check the password.  They get the following arguments:  the Kerberos context, principal,
     password, a tuning parameter, and a pointer to a message buffer and its length.  The tuning
     parameter for the quality check function is currently always NULL.  If the password is
     acceptable, the function returns zero.  Otherwise it returns non-zero and fills in the
     message buffer with an appropriate explanation.

RUNNING THE CHECKS

     kadm5_setup_passwd_quality_check sets up type 0 checks.  It sets up all type 0 checks
     defined in krb5.conf(5) if called with the last two arguments null.

     kadm5_add_passwd_quality_verifier sets up type 1 checks.  It sets up all type 1 tests
     defined in krb5.conf(5) if called with a null second argument.  kadm5_check_password_quality
     runs the checks in the order in which they are defined in krb5.conf(5) and the order in
     which they occur in a module's funcs array until one returns non-zero.

SEE ALSO

     libtool(1), krb5(3), krb5.conf(5)