Bug 216983 - Make random password generation work with policies
Make random password generation work with policies
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Security - Password Policy (Show other bugs)
1.0.4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
:
Depends On:
Blocks: 152373 240316 FDS1.1.0
  Show dependency treegraph
 
Reported: 2006-11-22 19:16 EST by Noriko Hosoi
Modified: 2015-12-07 12:18 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 12:18:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
cvs diff (passwd_extop.c) (10.14 KB, patch)
2006-11-27 14:18 EST, Noriko Hosoi
no flags Details | Diff
generated password sample (6.70 KB, text/html)
2006-11-27 14:21 EST, Noriko Hosoi
no flags Details
cvs diff (passwd_extop.c) (11.37 KB, patch)
2006-11-27 18:58 EST, Noriko Hosoi
no flags Details | Diff
generated password sample + error messages (2.30 KB, text/html)
2006-11-27 19:04 EST, Noriko Hosoi
no flags Details
cvs diff (passwd_extop.c) (11.12 KB, patch)
2006-11-28 13:04 EST, Noriko Hosoi
no flags Details | Diff

  None (edit)
Description Noriko Hosoi 2006-11-22 19:16:38 EST
Description of problem:
passwd_modify_generate_passwd (passwd_extop.c) always generates 8-bytes random
characters made by PK11_GenerateRandom and ldif_base64_encode.  It needs to
generate a password which follows the password policy if it's defined.
Comment 1 Noriko Hosoi 2006-11-27 14:18:42 EST
Created attachment 142208 [details]
cvs diff (passwd_extop.c)

File:
 ldap/servers/slapd/passwd_extop.c

Changes:
1. Renamed passwd_modify_generate_passwd to
passwd_modify_generate_basic_passwd, which algorithm is used when no specific
password rule or just the minimum length is given.
2. If some other rules are set, passwd_modify_generate_policy_passwd is called
and generate a password which fulfill the requirement.

Note: this password generator does not support passwordMin8Bit.  If it
generates a password which includes 8-bit characters, most likely they won't be
able to displayed or input from the users' keyboard.  We should note it in the
doc...
Comment 2 Noriko Hosoi 2006-11-27 14:21:01 EST
Created attachment 142213 [details]
generated password sample

Attached is the sample output from ldappasswd.	Do you think this quality of
the randomness satisfies the requirement?
Comment 3 Nathan Kinder 2006-11-27 15:52:13 EST
What happens with the below code if the policy has the minimum alphas set to 1?

+        /* if only minalphas is set, divide it into minuppers and minlowers. */
+        if ( pwpolicy->pw_minalphas > 0 &&
+                 ( my_policy[idx_minuppers] == 0 && my_policy[idx_minlowers] ==
0 )) {
+                my_policy[idx_minuppers] = 2;
+                my_policy[idx_minlowers] = pwpolicy->pw_minalphas -
my_policy[idx_minuppers];
+        }

I think this may cause a problem since my_policy[idx_minlowers] would be
negative.  If we need to split the minimum alphas into upper and lower
categories, we may want to randomly pick a number between 0 and
pwpolicy->pw_minalphas to use as my_policy[idx_minuppers], then use the leftover
as my_policy[idx_minlowers] (if there is any leftover).
Comment 4 Noriko Hosoi 2006-11-27 18:58:24 EST
Created attachment 142247 [details]
cvs diff (passwd_extop.c)

Thank you to Nathan for the review and the discussion!

As you suggested, I changed to randomly choose the rest of the specified
characters (by such as minuppers or mindigits).  Also, I added error messages
to log in the errors log as well as to return to the client.  Please take a
look at the next attachment for the messages.
Comment 5 Noriko Hosoi 2006-11-27 19:04:01 EST
Created attachment 142248 [details]
generated password sample + error messages

Added error messages are for
1. when passwordMinCategories is 5, which expects the generated password to
include 8-bit character(s).  Password Generator does not support such a
password.
2. when passwordMin8Bit is set. 

Also, fixed the bug pointed out by Nathan in Comment#3.

Lastly, the generated password sequence looks more randomized!
Comment 6 Noriko Hosoi 2006-11-27 19:33:46 EST
After discussing with Nathan, I was convinced that this code (even if an obvious
bug were fixed!) is not needed.  I'm removing this section.
+                if ( my_policy[idx_minuppers] > 1 ) {
+                        if ( 0 == my_policy[idx_minuppers] ) {
+                                my_policy[idx_minuppers]++;
+                        } else if ( pwpolicy->pw_minalphas ==
my_policy[idx_minuppers] ) {
+                                my_policy[idx_minuppers]--;
+                        }
+                }
+
Comment 7 Nathan Kinder 2006-11-28 11:41:12 EST
The code looks good now!  I'd like to propose we use the following warning/error
messages:

Client error:
Unable to generate new random password.  Please contact the Administrator.

Server error when passwordMin8bit is > 0:
Unable to generate a password that meets the current password syntax rules. 
8-bit syntax restrictions are not supported with random password generation.

Server error when passwordMinCategories is set to 5
Unable to generate a password that meets the current password syntax rules.  A
minimum categories setting of 5 is not supported with random password generation.

Comment 8 Noriko Hosoi 2006-11-28 12:57:46 EST
Thank you so much, Nathan!

passwordMinCategories: 5
Client>
ldappasswd: Operations error
ldappasswd: additional info: Unable to generate new random password.  Please
contact the Administrator.
Server>
[...] - Unable to generate a password that meets the current password syntax
rules.  A minimum categories setting of 5 is not supported with random password
generation.

passwordMin8bit: 1
Client>
ldappasswd: Operations error
ldappasswd: additional info: Unable to generate new random password.  Please
contact the Administrator.
Server>
[...] - Unable to generate a password that meets the current password syntax
rules.  8-bit syntax restrictions are not supported with random password generation.
Comment 9 Noriko Hosoi 2006-11-28 13:04:56 EST
Created attachment 142311 [details]
cvs diff (passwd_extop.c)

Final diff of passwd_extop.c which has been revised based upon the Nathan's
review.

Reviewed by Nathan (Thank you!!)

Checked in into HEAD
Commit messsage:
Resolves: #216983
Summary: Make random password generation work with policies
Changes: 1) Generate a password that meets the current password syntax rules.
2) Report errors when Min8Bit is set or MinCategories > 4
CVS: ----------------------------------------------------------------------
CVS: Modified Files: passwd_extop.c
CVS: ----------------------------------------------------------------------
Checking in passwd_extop.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v  <--  passwd_extop.c

new revision: 1.14; previous revision: 1.13
done

Note You need to log in before you can comment on or make changes to this bug.