Add a name field to the pwqual plugin vtable and log pwqual module

rejections.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24425 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/include/krb5/pwqual_plugin.h b/src/include/krb5/pwqual_plugin.h
index 403bb11521817c474a335ba1f1b8bbf9f2b1a52a..110197a2a372ddf8acfbadff3a9c53fa76d13b63 100644 (file)
--- a/src/include/krb5/pwqual_plugin.h
+++ b/src/include/krb5/pwqual_plugin.h
@@ -100,6 +100,7 @@ typedef void
 
 /* Password quality plugin vtable for major version 1. */
 typedef struct krb5_pwqual_vtable_st {
+    const char *name;           /* Mandatory: name of module. */
     krb5_pwqual_open_fn open;
     krb5_pwqual_check_fn check;
     krb5_pwqual_close_fn close;

diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h
index 42b11c85ee8c806077ae584057ab0c5988d9c75f..8778522546cda647f1551655b257f13b2c29e28a 100644 (file)
--- a/src/lib/kadm5/server_internal.h
+++ b/src/lib/kadm5/server_internal.h
@@ -172,6 +172,10 @@ k5_pwqual_load(krb5_context context, const char *dict_file,
 void
 k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles);
 
+/* Return the name of a password quality plugin module. */
+const char *
+k5_pwqual_name(krb5_context context, pwqual_handle handle);
+
 /* Check a password using a password quality plugin module. */
 krb5_error_code
 k5_pwqual_check(krb5_context context, pwqual_handle handle,

diff --git a/src/lib/kadm5/srv/pwqual.c b/src/lib/kadm5/srv/pwqual.c
index 86aa2d43b5c63b481136d0705333fa1af43b035b..d1a9f78347db3060ca5f3be09c647755cc2a7490 100644 (file)
--- a/src/lib/kadm5/srv/pwqual.c
+++ b/src/lib/kadm5/srv/pwqual.c
@@ -109,6 +109,12 @@ k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles)
     free(handles);
 }
 
+const char *
+k5_pwqual_name(krb5_context context, pwqual_handle handle)
+{
+    return handle->vt.name;
+}
+
 krb5_error_code
 k5_pwqual_check(krb5_context context, pwqual_handle handle,
                 const char *password, const char *policy_name,

diff --git a/src/lib/kadm5/srv/pwqual_dict.c b/src/lib/kadm5/srv/pwqual_dict.c
index 2df9a8b94c74c09f044193ca13a9aaab4bcf3446..58ece2fe033e648bd9bb0b9203e2fdf5ae3d33d9 100644 (file)
--- a/src/lib/kadm5/srv/pwqual_dict.c
+++ b/src/lib/kadm5/srv/pwqual_dict.c
@@ -247,6 +247,7 @@ pwqual_dict_initvt(krb5_context context, int maj_ver, int min_ver,
     if (maj_ver != 1)
         return KRB5_PLUGIN_VER_NOTSUPP;
     vt = (krb5_pwqual_vtable)vtable;
+    vt->name = "dict";
     vt->open = dict_open;
     vt->check = dict_check;
     vt->close = dict_close;

diff --git a/src/lib/kadm5/srv/pwqual_empty.c b/src/lib/kadm5/srv/pwqual_empty.c
index df3505aaf5745d03024f7c9e3e67aa1b946d31f1..79e7534d55785eaae2eaf138f1af0bedc54f14cf 100644 (file)
--- a/src/lib/kadm5/srv/pwqual_empty.c
+++ b/src/lib/kadm5/srv/pwqual_empty.c
@@ -56,6 +56,7 @@ pwqual_empty_initvt(krb5_context context, int maj_ver, int min_ver,
     if (maj_ver != 1)
         return KRB5_PLUGIN_VER_NOTSUPP;
     vt = (krb5_pwqual_vtable)vtable;
+    vt->name = "empty";
     vt->check = empty_check;
     return 0;
 }

diff --git a/src/lib/kadm5/srv/pwqual_hesiod.c b/src/lib/kadm5/srv/pwqual_hesiod.c
index 993992d193826c567793f78a79dbbe734353ac67..93ced4f3e19607da62b7c598239c6044c1e9061b 100644 (file)
--- a/src/lib/kadm5/srv/pwqual_hesiod.c
+++ b/src/lib/kadm5/srv/pwqual_hesiod.c
@@ -128,6 +128,7 @@ pwqual_hesiod_initvt(krb5_context context, int maj_ver, int min_ver,
     if (maj_ver != 1)
         return KRB5_PLUGIN_VER_NOTSUPP;
     vt = (krb5_pwqual_vtable)vtable;
+    vt->name = "hesiod";
     vt->check = hesiod_check;
     return 0;
 }

diff --git a/src/lib/kadm5/srv/pwqual_princ.c b/src/lib/kadm5/srv/pwqual_princ.c
index dfe5f20339f010a79da3dd77367758b3f44f2489..510980e9e5b6d7ec49c6c0187367e1e8639719fd 100644 (file)
--- a/src/lib/kadm5/srv/pwqual_princ.c
+++ b/src/lib/kadm5/srv/pwqual_princ.c
@@ -70,6 +70,7 @@ pwqual_princ_initvt(krb5_context context, int maj_ver, int min_ver,
     if (maj_ver != 1)
         return KRB5_PLUGIN_VER_NOTSUPP;
     vt = (krb5_pwqual_vtable)vtable;
+    vt->name = "princ";
     vt->check = princ_check;
     return 0;
 }

diff --git a/src/lib/kadm5/srv/server_misc.c b/src/lib/kadm5/srv/server_misc.c
index 9d32e715e06eea579a890168dff1a9e55f202f0b..5b61719498e9dc6071f735c15892807ff4595ab6 100644 (file)
--- a/src/lib/kadm5/srv/server_misc.c
+++ b/src/lib/kadm5/srv/server_misc.c
@@ -33,7 +33,9 @@
 #include    <kdb.h>
 #include    <ctype.h>
 #include    <pwd.h>
+#include    <syslog.h>
 #include    "server_internal.h"
+#include    <adm_proto.h>
 
 kadm5_ret_t
 adb_policy_init(kadm5_server_handle_t handle)
@@ -137,8 +139,19 @@ passwd_check(kadm5_server_handle_t handle, const char *password,
     }
     for (h = handle->qual_handles; *h != NULL; h++) {
         ret = k5_pwqual_check(handle->context, *h, password, polname, princ);
-        if (ret != 0)
+        if (ret != 0) {
+            const char *e = krb5_get_error_message(handle->context, ret);
+            const char *modname = k5_pwqual_name(handle->context, *h);
+            char *princname;
+            if (krb5_unparse_name(handle->context, princ, &princname) != 0)
+                princname = NULL;
+            krb5_klog_syslog(LOG_ERR, "password quality module %s rejected "
+                             "password for %s: %s", modname,
+                             princname ? princname : "(can't unparse)", e);
+            krb5_free_error_message(handle->context, e);
+            free(princname);
             return ret;
+        }
     }
     return 0;
 }