Bug 458792 - RFE: Support external script-based password policy
Summary: RFE: Support external script-based password policy
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: 389
Classification: Retired
Component: Security - Password Policy
Version: 1.1.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-12 11:04 UTC by Aleksander Adamowski
Modified: 2015-11-19 22:20 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-11-19 22:20:50 UTC
Embargoed:


Attachments (Terms of Use)

Description Aleksander Adamowski 2008-08-12 11:04:07 UTC
Description of problem:

Currently Fedora Directory Server allows for a very simple password policy (see http://directory.fedoraproject.org/wiki/Password_Syntax) that is applied to passwords changed by the users using the password change extended operation (exop for short).

Many organizations would like to be able to supplement that policy with their own custom, programmable policies. Currently there's no flexibility whatsoever.

The password quality assessment can be accomplished using very simple means - what is needed is just a program or script that reads a single line (containing the password) in its standard input and sets it return code to 0 if the password is OK or to 1 if it's not OK. It can also output a descriptive error in its standard output.

Here's an example of such script in Perl:


#!/usr/bin/perl -w
#

chomp(my $line = <STDIN>);

if ($line =~ /^password/i) {
  print "The password cannot begin with the word 'password'.\n";
  exit 1;
} else {
  exit 0;
}

Note that this way one can easily implement various additional checks, e.g. check against a known wordlist, statistic tests on the characters comprising the password etc.


I think that this functionality could be implemented in FDS using a plugin that consumes one configuration option: the full absolute path to the binary to be executed for checking passwords.

Comment 1 Martin Kosek 2012-01-04 13:43:12 UTC
Upstream ticket:
https://fedorahosted.org/389/ticket/109

Comment 3 Noriko Hosoi 2015-11-19 22:20:50 UTC
Closing this bug since we moved to the ticket system:
https://fedorahosted.org/389/ticket/109


Note You need to log in before you can comment on or make changes to this bug.