From 0b1015fd1072350f5bee1e5f8c7156701d639b87 Mon Sep 17 00:00:00 2001 From: Michael Shanzer Date: Tue, 23 Nov 1993 19:49:02 +0000 Subject: [PATCH] removed override quality flags git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3015 dc483132-0cff-0310-8789-dd5450dbe970 --- doc/kadm5/api-funcspec.tex | 83 ++++++-------------------------------- 1 file changed, 12 insertions(+), 71 deletions(-) diff --git a/doc/kadm5/api-funcspec.tex b/doc/kadm5/api-funcspec.tex index bed88ef02..25b6d13ff 100644 --- a/doc/kadm5/api-funcspec.tex +++ b/doc/kadm5/api-funcspec.tex @@ -443,8 +443,6 @@ character classes. \item[OVSEC_KADM_PASS_TOOSOON] Current password's minimum life has not expired. \item[OVSEC_KADM_POLICY_REF] Policy reference count is not zero. -\item[OVSEC_KADM_CANNOT_OVERRIDE] Request to override password minimum -life or dictionary check denied. \end{description} \subsection{Authentication and Authorization} @@ -651,26 +649,20 @@ RETURN CODES: \begin{verbatim} ovsec_kadm_ret_t ovsec_kadm_create_principal(ovsec_kadm_principal_ent_t princ, u_int32 mask, - char *pw, int override_qual); + char *pw); \end{verbatim} AUTHORIZATION REQUIRED: add \begin{enumerate} -\item Determine whether password quality checks should be overridden. -\begin{enumerate} -\item If the POLICY bit is not set in aux_attributes, set -override_qual to true. -\item Otherwise, use the specified override_qual. -\end{enumerate} \item Return OVSEC_KADM_BAD_MASK if the mask is invalid. \item If the named principal exists, return OVSEC_KADM_DUP. \item If the POLICY bit is set and the named policy does not exist, return OVSEC_KADM_UNK_POLICY. -\item If override_qual is false and the password does not meet the -quality standards, return the appropriate OVSEC_KADM_PASS_Q_* error -code. +\item If OVSEC_KADM_POLICY bit is set in aux_attributes check to see if +the password does not meets quality standards, return the appropriate +OVSEC_KADM_PASS_Q_* error code if it fails. \item Store the principal, set the key. The key is generated with Kerberos' string-to-key function, using the salt method specified on the admin server's command line; see section \ref{sec:commandline}. @@ -834,8 +826,7 @@ RETURN CODES: \begin{verbatim} ovsec_kadm_ret_t -ovsec_kadm_chpass_principal(krb5_principal princ, char *pw, - int override_qual); +ovsec_kadm_chpass_principal(krb5_principal princ, char *pw); \end{verbatim} AUTHORIZATION REQUIRED: modify, or the calling principal being the @@ -851,39 +842,12 @@ If the principal's POLICY bit is set in aux_attributes, compliance with each of the named policy fields is verified and an appropriate error code is returned if verification fails. -{\it However}, passsword policy and dictionary checks can be overriden -under very precise circumstances. Specifically, - -\begin{itemize} -\item if the calling principal has the modify priviledge, and - -\item if the calling principal is different from the princ argument, -and - -\item if the request is authenticated to the ovsec_kadm/admin service, -and - -\item if override_qual is specified as true, -\end{itemize} - -then {\it neither the password dictionary check nor pw_min_life check -is performed}. The rationale behind the exception is that an -administrator must always be able to change a principal's password -immediately (in case it is compromised). (Note that this leaves the -dictionary check overriden without a rationalization; not -surprisingly, the author thinks it is irrational. It also does not -explain why an administrator cannot override its own policy, which the -author also thinks is irrational.) - Note that the policy checks are only be performed if the POLICY bit is set in the principal's aux_attributes field. \begin{enumerate} -\item If override_qual is set to true, verify that the three -conditions stated above are met; if any condition is not met, return -OVSEC_KADM_CANNOT_OVERRIDE. \item Make sure principal exists, if not return OVSEC_KADM_UNK_PRINC error. -\item If override_qual is false, (now - last_pwd_change) $<$ +\item If caller does not have modify privilege, (now - last_pwd_change) $<$ pw_min_life, and the KRB5_KDB_REQUIRES_PWCHANGE bit is not set in the principal's attributes, return OVSEC_KADM_PASS_TOOSOON. \item If the password does not meet the quality @@ -891,8 +855,8 @@ standards, return the appropriate OVSEC_KADM_PASS_Q_* error code. \item Convert password to key. The key is generated with Kerberos' string-to-key function, using the salt method specified on the admin server's command line; see section \ref{sec:commandline}. -\item If override_qual is false and the new key is in the principal's -password history, return OVSEC_KADM_PASS_REUSE. +\item If the new key is in the principal's password history, return +OVSEC_KADM_PASS_REUSE. \item Store old key in history. \item Update principal to have new key. \item Increment principal's key version number by one. @@ -923,7 +887,7 @@ life. \begin{verbatim} ovsec_kadm_ret_t ovsec_kadm_chpass_principal_util(krb5_principal princ, char *new_pw, - int override_qual, char **pw_ret, char *msg_ret); + char **pw_ret, char *msg_ret); \end{verbatim} AUTHORIZATION REQUIRED: modify, or the calling principal being the @@ -955,7 +919,7 @@ krb5_read_password. point to a static buffer containing the password. If pw_ret is non-NULL and the password was supplied, set *pw_ret to the supplied password. -\item Call ovsec_kadm_chpass_principal with princ, new_pw, and override_qual. +\item Call ovsec_kadm_chpass_principal with princ, and new_pw. \item If successful copy ``Password Changed.'' into msg_ret and return zero. @@ -1030,8 +994,7 @@ life. \begin{verbatim} ovsec_kadm_ret_t -ovsec_kadm_randkey_principal(krb5_principal princ, krb5_keyblock **new_key, - int override_qual); +ovsec_kadm_randkey_principal(krb5_principal princ, krb5_keyblock **new_key) \end{verbatim} AUTHORIZATION REQUIRED: modify, or the calling principal being the @@ -1047,34 +1010,12 @@ is set in aux_attributes, compliance with each of the named policy fields is verified and an appropriate error code is returned if verification fails. -{\it However}, passsword policy and dictionary checks can be overriden -under very precise circumstances. Specifically, - -\begin{itemize} -\item if the calling principal has the modify priviledge, and - -\item if the calling principal is different from the princ argument, -and - -\item if the request is authenticated to the ovsec_kadm/admin service, -and - -\item if override_qual is specified as true, -\end{itemize} - -then {\it the pw_min_life check is not performed}. The rationale -behind the exception is that an administrator must always be able to -change a principal's password immediately (in case it is compromised). - Note that the policy checks are only be performed if the POLICY bit is set in the principal's aux_attributes field. \begin{enumerate} -\item If override_qual is set to true, verify that the three -conditions stated above are met; if any condition is not met, return -OVSEC_KADM_CANNOT_OVERRIDE. \item If the principal does not exist, return OVSEC_KADM_UNK_PRINC. -\item If override_qual is false, (now - last_pwd_change) $<$ +\item If caller does not have modify privilege, (now - last_pwd_change) $<$ pw_min_life, and the KRB5_KDB_REQUIRES_PWCHANGE bit is not set in the principal's attributes, return OVSEC_KADM_PASS_TOOSOON. \item Store old key in history. -- 2.26.2