Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Introduce pw_policy(3), an easily extendable way of defining...
details: https://anonhg.NetBSD.org/src/rev/89d06b3fc0e7
branches: trunk
changeset: 584359:89d06b3fc0e7
user: elad <elad%NetBSD.org@localhost>
date: Wed Sep 14 11:36:52 2005 +0000
description:
Introduce pw_policy(3), an easily extendable way of defining password
policies and enforcing them in programs.
Man-page written with much help and tips from David Maxwell, Hubert
Feyrer, and Thomas Klausner.
This bumps libutil minor to 7.
XXX: Need default policy to go in /etc/passwd.conf, and integration
into local/yp/PAM password changing code.
PR/10206.
diffstat:
distrib/sets/lists/base/shl.mi | 4 +-
distrib/sets/lists/comp/mi | 4 +-
lib/libutil/Makefile | 6 +-
lib/libutil/pw_policy.3 | 296 +++++++++++++++++++++++++++++++
lib/libutil/pw_policy.c | 383 +++++++++++++++++++++++++++++++++++++++++
lib/libutil/shlib_version | 4 +-
6 files changed, 689 insertions(+), 8 deletions(-)
diffs (truncated from 761 to 300 lines):
diff -r 2c1298b633f5 -r 89d06b3fc0e7 distrib/sets/lists/base/shl.mi
--- a/distrib/sets/lists/base/shl.mi Wed Sep 14 10:51:22 2005 +0000
+++ b/distrib/sets/lists/base/shl.mi Wed Sep 14 11:36:52 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: shl.mi,v 1.319 2005/08/23 19:57:54 elad Exp $
+# $NetBSD: shl.mi,v 1.320 2005/09/14 11:36:53 elad Exp $
# Note: libtermcap and libtermlib are hardlinked and share the same version.
./lib/libc.so.12.134 base-sys-shlib
./lib/libcrypt.so.0.2 base-sys-shlib
@@ -11,7 +11,7 @@
./lib/libradius.so.0.0 base-sys-shlib
./lib/libtermcap.so.0.6 base-sys-shlib
./lib/libtermlib.so.0.6 base-sys-shlib
-./lib/libutil.so.7.6 base-sys-shlib
+./lib/libutil.so.7.7 base-sys-shlib
./lib/libz.so.0.4 base-sys-shlib
./usr/lib/i18n/libBIG5.so.4.3 base-i18n-shlib
./usr/lib/i18n/libEUC.so.4.3 base-i18n-shlib
diff -r 2c1298b633f5 -r 89d06b3fc0e7 distrib/sets/lists/comp/mi
--- a/distrib/sets/lists/comp/mi Wed Sep 14 10:51:22 2005 +0000
+++ b/distrib/sets/lists/comp/mi Wed Sep 14 11:36:52 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.812 2005/09/10 19:20:48 jmmv Exp $
+# $NetBSD: mi,v 1.813 2005/09/14 11:36:53 elad Exp $
./etc/mtree/set.comp comp-sys-root
./usr/bin/addr2line comp-debug-bin bfd
./usr/bin/ar comp-util-bin bfd
@@ -4139,6 +4139,7 @@
./usr/share/man/cat3/pw_init.0 comp-c-catman .cat
./usr/share/man/cat3/pw_lock.0 comp-c-catman .cat
./usr/share/man/cat3/pw_mkdb.0 comp-c-catman .cat
+./usr/share/man/cat3/pw_policy.0 comp-c-catman .cat
./usr/share/man/cat3/pw_prompt.0 comp-c-catman .cat
./usr/share/man/cat3/pw_scan.0 comp-c-catman .cat
./usr/share/man/cat3/pw_setprefix.0 comp-c-catman .cat
@@ -8048,6 +8049,7 @@
./usr/share/man/man3/pw_init.3 comp-c-man .man
./usr/share/man/man3/pw_lock.3 comp-c-man .man
./usr/share/man/man3/pw_mkdb.3 comp-c-man .man
+./usr/share/man/cat3/pw_policy.3 comp-c-man .man
./usr/share/man/man3/pw_prompt.3 comp-c-man .man
./usr/share/man/man3/pw_scan.3 comp-c-man .man
./usr/share/man/man3/pw_setprefix.3 comp-c-man .man
diff -r 2c1298b633f5 -r 89d06b3fc0e7 lib/libutil/Makefile
--- a/lib/libutil/Makefile Wed Sep 14 10:51:22 2005 +0000
+++ b/lib/libutil/Makefile Wed Sep 14 11:36:52 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.47 2004/12/11 06:41:15 christos Exp $
+# $NetBSD: Makefile,v 1.48 2005/09/14 11:36:52 elad Exp $
# @(#)Makefile 8.1 (Berkeley) 6/4/93
USE_SHLIBDIR= yes
@@ -14,8 +14,8 @@
if_media.c \
login.c loginx.c login_cap.c login_tty.c logout.c logoutx.c \
logwtmp.c logwtmpx.c opendisk.c \
- passwd.c pw_scan.c pidfile.c pidlock.c pty.c secure_path.c \
- snprintb.c sockaddr_snprintf.c ttyaction.c ttymsg.c
+ passwd.c pw_scan.c pw_policy.c pidfile.c pidlock.c pty.c \
+ secure_path.c snprintb.c sockaddr_snprintf.c ttyaction.c ttymsg.c
MAN= getbootfile.3 getlabelsector.3 getmaxpartitions.3 \
getmntopts.3 \
diff -r 2c1298b633f5 -r 89d06b3fc0e7 lib/libutil/pw_policy.3
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/libutil/pw_policy.3 Wed Sep 14 11:36:52 2005 +0000
@@ -0,0 +1,296 @@
+.\" $NetBSD: pw_policy.3,v 1.1 2005/09/14 11:36:52 elad Exp $
+.\"
+.\" Copyright 2005 Elad Efrat <elad%NetBSD.org@localhost>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. The name of the Author may not be used to endorse or promote
+.\" products derived from this software without specific prior written
+.\" permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd September 13, 2005
+.Dt PW_POLICY 3
+.Os
+.Sh NAME
+.Nm pw_policy_test
+.Nd password policy enforcement
+.Sh LIBRARY
+.Lb libutil
+.Sh SYNOPSIS
+.In util.h
+.Ft int
+.Fn pw_policy_test "char *pw" "void *key" "int how"
+.Sh DESCRIPTION
+The
+.Fn pw_policy_test
+function checks if the password passed in
+.Ar pw
+follows the system's password policy as specified in
+.Pa /etc/passwd.conf .
+.Pp
+Using
+.Xr pw_getconf 3
+terminology,
+.Fn pw_policy_test
+accepts a
+.Ar key
+to be used when searching
+.Pa /etc/passwd.conf
+for a password policy.
+This key contains various options describing different policies.
+Some built-in ones are described along with their syntax below.
+.Pp
+To allow calling from various program contexts
+and using various password policy retrieval schemes,
+.Ar how
+tells
+.Fn pw_policy_test
+how to treat
+.Ar key .
+.Pp
+The value of
+.Ar how
+can be
+.Dv PW_POLICY_BYSTRING
+to indicate the passed
+.Ar key
+is to be used as a
+.Ft char * ,
+looking up the string it contains in
+.Pa /etc/passwd.conf .
+.Pp
+If
+.Ar how
+is
+.Dv PW_POLICY_BYPASSWD ,
+.Ar key
+is used as a
+.Ft struct passwd * ,
+first looking up the username in
+.Ft pw_name ,
+and if no key can be found, it will try the login class in
+.Ft pw_class .
+.Pp
+Using the value
+.Dv PW_POLICY_BYGROUP
+for
+.Ar how
+will use
+.Ar key
+as a
+.Ft struct group * ,
+looking up the group name in
+.Ft gr_name .
+.Pp
+If
+.Ar key
+is
+.Dv NULL ,
+or no specified key can be found, the default key,
+.Dq pw_policy ,
+is used.
+If even the default key can't be found,
+the password is accepted as no policy is defined.
+.Sh BUILT-IN POLICY SYNTAX
+Available built-in policy options include the following:
+.Pp
+.Bl -tag -width kungfuninja -compact
+.It length
+Length of the password.
+.It uppercase
+Number of upper-case characters in the password.
+.It lowercase
+Number of lower-case characters in the password.
+.It digits
+Number of digits in the password.
+.It punctuation
+Number of punctuation characters in the password.
+.It nclasses
+Number of different character classes in the password.
+.It ntoggles
+How often a user has to toggle between character classes in the password.
+.El
+.Pp
+Options are used inside keys.
+An option uses a format of
+.Dq option = value .
+For the built-in options, we use either
+.Dq N
+or
+.Dq N-M
+for the value.
+.Pp
+The first,
+.Dq N
+format, specifies a single length.
+For example, the following option specifies that the password should
+have exactly 3 upper-case characters:
+.Bd -literal -offset indent
+uppercase = 3
+.Ed
+.Pp
+The second,
+.Dq N-M
+format, can be used to specify a range.
+Forcing a policy for number of digits between 1 and 4 would be:
+.Bd -literal -offset indent
+digits = 1-4
+.Ed
+.Pp
+The characters
+.Sq 0
+and
+.Sq *
+can also be used to indicate
+.Dq not allowed
+and
+.Dq any number ,
+respectively.
+To illustrate, the following example states that the number of
+punctuation characters should be at least two:
+.Bd -literal -offset indent
+punctuation = 2-*
+.Ed
+.Pp
+No more than 7 digits:
+.Bd -literal -offset indent
+digits = *-7
+.Ed
+.Pp
+Any number of lower-case characters:
+.Bd -literal -offset indent
+lowercase = *
+.Ed
+.Pp
+Upper-case characters not allowed:
+.Bd -literal -offset indent
+uppercase = 0
+.Ed
+.Pp
+To specify that the password must be at least 8 characters long:
+.Bd -literal -offset indent
+length = 8-*
+.Ed
+.Pp
+Specifying a password must have at least 3 different character classes:
+.Bd -literal -offset indent
+nclasses = 3-*
+.Ed
+.Pp
+And that the user must change character class every 2 characters:
+.Bd -literal -offset indent
+ntoggles = *-2
+.Ed
+.Sh RETURN VALUES
+Upon success, meaning the password follows the specified policy,
+.Fn pw_policy_test
+will return 0.
+.Pp
+.Fn pw_policy_test
+will fail and return any of the following if:
+.Bl -tag -width Er
+.It Bq Er EPERM
+The password does not follow the specified policy.
+.It Bq Er EFAULT
+The password string provided is
+.Dv NULL .
+.It Bq Er ENOENT
+.Pa /etc/passwd.conf
+could not be found.
+.It Bq Er EINVAL
+.Ar how
+has an invalid value.
+.El
+.Sh FILES
+.Bl -tag -width /etc/passwd.conf -compact
+.It Pa /etc/passwd.conf
+password configuration file.
+.El
+.Sh EXAMPLES
+To check if
+.Ar the_password
+follows the system's default password policy:
+.Bd -literal -offset indent
+error = pw_policy_test(the_password, NULL, 0);
+if (error == EPERM)
+ (void)printf("Please refer to the password policy.\en");
+.Ed
+.Pp
Home |
Main Index |
Thread Index |
Old Index