Debian Bug report logs - #665446
gosa+kerberos should enforce correct passwords

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Holger Levsen <[email protected]>

To: [email protected]

Subject: gosa+kerberos should enforce correct passwords

Date: Sat, 24 Mar 2012 11:34:57 +0100

package: debian-edu.config
version: 1.453

Hi Wolfgang, 

thanks for confirming and providing more info.

On Samstag, 24. März 2012, Wolfgang Schweer wrote:
> On Sat, Mar 24, 2012 at 09:23:42AM +0100, Holger Levsen wrote:
> > On Freitag, 23. März 2012, Petter Reinholdtsen wrote:
> > > Could the problem be that the passwords are too short?  Kerberos
> > > rejects passwords shorter than 6 characters.
> > 
> > if thats not enforced in gosa, it should be.
> 
> Providing too short passwords reproduces the problem. GOsa² accepts
> giving feedback 'ok' (LDAP Manager). Same providing too short pw
> manually.
> 
> One more trap:
> 
> Option minclasses isn't, but should be checked, too.
> 
> --------------- snip kerberos-kdc-init ------------------------
> # Kerberos policy setup
> kadmin.local -q "addpol -maxlife \"2 days\" -minlength 5 users"
> kadmin.local -q "addpol -minclasses 2 hosts"

> ---------------------------------------------------------------
> 
> Wouldn't it be better to have something like this:
> 
> kadmin.local -q "addpol -minlength 6 -minclasses 2 users"
> kadmin.local -q "addpol -minlength 4 -minclasses 2 hosts"


cheers,
	Holger

Message #18 received at [email protected] (full text, mbox, reply):

From: Guido Berhoerster <[email protected]>

To: [email protected]

Subject: Re: gosa+kerberos should enforce correct passwords

Date: Wed, 11 Oct 2023 15:04:10 +0200

There are currently potentially four different password policies
relevant for users:

1. gosa²/LDAP
2. Kerberos
3. Samba
4. PAM

1. gosa²

gosa² has the following settings affecting password complexity:

- passwordMinLength: minimum length (default: 5)
- passwordMinDiffer: minimum number of characters that need to differ
  from the previous password, probably irrelevant for non-plaintext
  passwords (default: 2)

However, when using the default theme the users plugin seems reads "The
password must have at least 1 characters" but it actually requires at
least 8 characters so there is a bug.

In addition it has its own complexity requirements, the password must
contain at least one upper case, one lower case character, a digit, and
a special character.

When using the classic theme, the users plugin does not enforce a
password length or any complexity rules at all.

So if we want a unified password policy enforced by gosa we need to
fix those bugs first and make any rules actually configurable. A strong
password following the rules of the plugin using the default theme
should probably have 12 or 14 characters. I don't think the above
character class rules are actually useful.

2. Kerberos

The kerberos minimum password length is configurable, it is currently
set to 5 characters. It also allows to set a policy on how many character
classes need to be represented in a password, though it is deactivated
by default:

    kadmin.local:  getpol users
    Policy: users
    Maximum password life: 0 days 00:00:00
    Minimum password life: 0 days 00:00:00
    Minimum password length: 5
    Minimum number of password character classes: 1
    Number of old keys kept: 1
    Maximum password failures before lockout: 0
    Password failure count reset interval: 0 days 00:00:00
    Password lockout duration: 0 days 00:00:00

3. Samba

It is possible to enforce complexity through an external script which
performs a check on password change. This requires the setting "check
password script" in smb.conf.  Internal password policies are only
possible in Samba-AD mode.

4. PAM

There are external PAM modules like libpam-pwquality available which can
enforce complexity in a fine-grained way.  Another possibility would be
to invoke a script (e.g. through pam_python), possibly shared with one
used by Samba.

So the question is whether we want to rely solely on gosa to enforce
password complexity or if we want to configure all of the above so each
one enforces the common policy on its own?
In case of the former, what about the gosa option to have the user
change his password on the next login?


-- 
Guido Berhoerster

Send a report that this bug log contains spam.