crypto/dist/heimdal/lib/kadm5/check-cracklib.pl

   1 #!/usr/pkg/bin/perl
   2 #
   3 # Sample password verifier for Heimdals external password
   4 # verifier, see the chapter "Password changing" in the the info
   5 # documentation for more information about the protocol used.
   6 #
   7 # Three checks
   8 #  1. Check that password is not the principal name
   9 #  2. Check that the password passes cracklib
  10 #  3. Check that password isn't repeated for this principal
  11 #
  12 # The repeat check must be last because some clients ask
  13 # twice when getting "no" back and thus the error message
  14 # would be wrong.
  15 #
  16 # Prereqs (example versions):
  17 #
  18 # * perl (5.8.5) http://www.perl.org/
  19 # * cracklib (2.8.5) http://sourceforge.net/projects/cracklib
  20 # * Crypt-Cracklib perlmodule (0.01) http://search.cpan.org/~daniel/
  21 #
  22 # Sample dictionaries:
  23 #     cracklib-words (1.1) http://sourceforge.net/projects/cracklib
  24 #     miscfiles (1.4.2) http://directory.fsf.org/miscfiles.html
  25 #
  26 # Configuration for krb5.conf or kdc.conf
  27 #
  28 #   [password_quality]
  29 #       policies = builtin:external-check
  30 #       external_program = <your-path>/check-cracklib.pl
  31 #
  32 # $Heimdal: check-cracklib.pl 20578 2007-05-07 22:21:51Z lha $
  33 # $NetBSD$
  34
  35 use strict;
  36 use Crypt::Cracklib;
  37 use Digest::MD5;
  38
  39 # NEED TO CHANGE THESE TO MATCH YOUR SYSTEM
  40 my $database = '/usr/lib/cracklib_dict';
  41 my $historydb = '/var/heimdal/historydb';
  42 # NEED TO CHANGE THESE TO MATCH YOUR SYSTEM
  43
  44 my %params;
  45
  46 sub check_basic
  47 {
  48     my $principal = shift;
  49     my $passwd = shift;
  50
  51     if ($principal eq $passwd) {
  52         return "Principal name as password is not allowed";
  53     }
  54     return "ok";
  55 }
  56
  57 sub check_repeat
  58 {
  59     my $principal = shift;
  60     my $passwd = shift;
  61     my $result  = 'Do not reuse passwords';
  62     my %DB;
  63     my $md5context = new Digest::MD5;
  64
  65     $md5context->reset();
  66     $md5context->add($principal, ":", $passwd);
  67
  68     my $key=$md5context->hexdigest();
  69
  70     dbmopen(%DB,$historydb,0600) or die "Internal: Could not open $historydb";
  71     $result = "ok" if (!$DB{$key});
  72     $DB{$key}=scalar(time());
  73     dbmclose(%DB) or die "Internal: Could not close $historydb";
  74     return $result;
  75 }
  76
  77 sub badpassword
  78 {
  79     my $reason = shift;
  80     print "$reason\n";
  81     exit 0
  82 }
  83
  84 while (<>) {
  85     last if /^end$/;
  86     if (!/^([^:]+): (.+)$/) {
  87         die "key value pair not correct: $_";
  88     }
  89     $params{$1} = $2;
  90 }
  91
  92 die "missing principal" if (!defined $params{'principal'});
  93 die "missing password" if (!defined $params{'new-password'});
  94
  95 my $reason;
  96
  97 $reason = check_basic($params{'principal'}, $params{'new-password'});
  98 badpassword($reason) if ($reason ne "ok");
  99
 100 $reason = fascist_check($params{'new-password'}, $database);
 101 badpassword($reason) if ($reason ne "ok");
 102
 103 $reason = check_repeat($params{'principal'}, $params{'new-password'});
 104 badpassword($reason) if ($reason ne "ok");
 105
 106 print "APPROVED\n";
 107 exit 0