Bug 458792 - RFE: Support external script-based password policy
RFE: Support external script-based password policy
Product: 389
Classification: Community
Component: Security - Password Policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Ben Levenson
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2008-08-12 07:04 EDT by Aleksander Adamowski
Modified: 2015-11-19 17:20 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-19 17:20:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aleksander Adamowski 2008-08-12 07:04:07 EDT
Description of problem:

Currently Fedora Directory Server allows for a very simple password policy (see http://directory.fedoraproject.org/wiki/Password_Syntax) that is applied to passwords changed by the users using the password change extended operation (exop for short).

Many organizations would like to be able to supplement that policy with their own custom, programmable policies. Currently there's no flexibility whatsoever.

The password quality assessment can be accomplished using very simple means - what is needed is just a program or script that reads a single line (containing the password) in its standard input and sets it return code to 0 if the password is OK or to 1 if it's not OK. It can also output a descriptive error in its standard output.

Here's an example of such script in Perl:

#!/usr/bin/perl -w

chomp(my $line = <STDIN>);

if ($line =~ /^password/i) {
  print "The password cannot begin with the word 'password'.\n";
  exit 1;
} else {
  exit 0;

Note that this way one can easily implement various additional checks, e.g. check against a known wordlist, statistic tests on the characters comprising the password etc.

I think that this functionality could be implemented in FDS using a plugin that consumes one configuration option: the full absolute path to the binary to be executed for checking passwords.
Comment 1 Martin Kosek 2012-01-04 08:43:12 EST
Upstream ticket:
Comment 3 Noriko Hosoi 2015-11-19 17:20:50 EST
Closing this bug since we moved to the ticket system:

Note You need to log in before you can comment on or make changes to this bug.