From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 5 Oct 2010 16:00:23 +0000 (+0000)
Subject: Add a name field to the pwqual plugin vtable and log pwqual module
X-Git-Tag: krb5-1.9-beta1~38
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f807c93ad898c9b652b516ac54ee2b1112c67fbc;p=krb5.git

Add a name field to the pwqual plugin vtable and log pwqual module
rejections.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24425 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/include/krb5/pwqual_plugin.h b/src/include/krb5/pwqual_plugin.h
index 403bb1152..110197a2a 100644
--- a/src/include/krb5/pwqual_plugin.h
+++ b/src/include/krb5/pwqual_plugin.h
@@ -100,6 +100,7 @@ typedef void
 
 /* Password quality plugin vtable for major version 1. */
 typedef struct krb5_pwqual_vtable_st {
+    const char *name;           /* Mandatory: name of module. */
     krb5_pwqual_open_fn open;
     krb5_pwqual_check_fn check;
     krb5_pwqual_close_fn close;
diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h
index 42b11c85e..877852254 100644
--- a/src/lib/kadm5/server_internal.h
+++ b/src/lib/kadm5/server_internal.h
@@ -172,6 +172,10 @@ k5_pwqual_load(krb5_context context, const char *dict_file,
 void
 k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles);
 
+/* Return the name of a password quality plugin module. */
+const char *
+k5_pwqual_name(krb5_context context, pwqual_handle handle);
+
 /* Check a password using a password quality plugin module. */
 krb5_error_code
 k5_pwqual_check(krb5_context context, pwqual_handle handle,
diff --git a/src/lib/kadm5/srv/pwqual.c b/src/lib/kadm5/srv/pwqual.c
index 86aa2d43b..d1a9f7834 100644
--- a/src/lib/kadm5/srv/pwqual.c
+++ b/src/lib/kadm5/srv/pwqual.c
@@ -109,6 +109,12 @@ k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles)
     free(handles);
 }
 
+const char *
+k5_pwqual_name(krb5_context context, pwqual_handle handle)
+{
+    return handle->vt.name;
+}
+
 krb5_error_code
 k5_pwqual_check(krb5_context context, pwqual_handle handle,
                 const char *password, const char *policy_name,
diff --git a/src/lib/kadm5/srv/pwqual_dict.c b/src/lib/kadm5/srv/pwqual_dict.c
index 2df9a8b94..58ece2fe0 100644
--- a/src/lib/kadm5/srv/pwqual_dict.c
+++ b/src/lib/kadm5/srv/pwqual_dict.c
@@ -247,6 +247,7 @@ pwqual_dict_initvt(krb5_context context, int maj_ver, int min_ver,
     if (maj_ver != 1)
         return KRB5_PLUGIN_VER_NOTSUPP;
     vt = (krb5_pwqual_vtable)vtable;
+    vt->name = "dict";
     vt->open = dict_open;
     vt->check = dict_check;
     vt->close = dict_close;
diff --git a/src/lib/kadm5/srv/pwqual_empty.c b/src/lib/kadm5/srv/pwqual_empty.c
index df3505aaf..79e7534d5 100644
--- a/src/lib/kadm5/srv/pwqual_empty.c
+++ b/src/lib/kadm5/srv/pwqual_empty.c
@@ -56,6 +56,7 @@ pwqual_empty_initvt(krb5_context context, int maj_ver, int min_ver,
     if (maj_ver != 1)
         return KRB5_PLUGIN_VER_NOTSUPP;
     vt = (krb5_pwqual_vtable)vtable;
+    vt->name = "empty";
     vt->check = empty_check;
     return 0;
 }
diff --git a/src/lib/kadm5/srv/pwqual_hesiod.c b/src/lib/kadm5/srv/pwqual_hesiod.c
index 993992d19..93ced4f3e 100644
--- a/src/lib/kadm5/srv/pwqual_hesiod.c
+++ b/src/lib/kadm5/srv/pwqual_hesiod.c
@@ -128,6 +128,7 @@ pwqual_hesiod_initvt(krb5_context context, int maj_ver, int min_ver,
     if (maj_ver != 1)
         return KRB5_PLUGIN_VER_NOTSUPP;
     vt = (krb5_pwqual_vtable)vtable;
+    vt->name = "hesiod";
     vt->check = hesiod_check;
     return 0;
 }
diff --git a/src/lib/kadm5/srv/pwqual_princ.c b/src/lib/kadm5/srv/pwqual_princ.c
index dfe5f2033..510980e9e 100644
--- a/src/lib/kadm5/srv/pwqual_princ.c
+++ b/src/lib/kadm5/srv/pwqual_princ.c
@@ -70,6 +70,7 @@ pwqual_princ_initvt(krb5_context context, int maj_ver, int min_ver,
     if (maj_ver != 1)
         return KRB5_PLUGIN_VER_NOTSUPP;
     vt = (krb5_pwqual_vtable)vtable;
+    vt->name = "princ";
     vt->check = princ_check;
     return 0;
 }
diff --git a/src/lib/kadm5/srv/server_misc.c b/src/lib/kadm5/srv/server_misc.c
index 9d32e715e..5b6171949 100644
--- a/src/lib/kadm5/srv/server_misc.c
+++ b/src/lib/kadm5/srv/server_misc.c
@@ -33,7 +33,9 @@
 #include    <kdb.h>
 #include    <ctype.h>
 #include    <pwd.h>
+#include    <syslog.h>
 #include    "server_internal.h"
+#include    <adm_proto.h>
 
 kadm5_ret_t
 adb_policy_init(kadm5_server_handle_t handle)
@@ -137,8 +139,19 @@ passwd_check(kadm5_server_handle_t handle, const char *password,
     }
     for (h = handle->qual_handles; *h != NULL; h++) {
         ret = k5_pwqual_check(handle->context, *h, password, polname, princ);
-        if (ret != 0)
+        if (ret != 0) {
+            const char *e = krb5_get_error_message(handle->context, ret);
+            const char *modname = k5_pwqual_name(handle->context, *h);
+            char *princname;
+            if (krb5_unparse_name(handle->context, princ, &princname) != 0)
+                princname = NULL;
+            krb5_klog_syslog(LOG_ERR, "password quality module %s rejected "
+                             "password for %s: %s", modname,
+                             princname ? princname : "(can't unparse)", e);
+            krb5_free_error_message(handle->context, e);
+            free(princname);
             return ret;
+        }
     }
     return 0;
 }