-
Notifications
You must be signed in to change notification settings - Fork 964
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vncpasswd add pwquality complexity rule check #1762
Conversation
Thank you for your contribution! I'm concerned how well a pwquality will work for VNC passwords, given that they are limited to 8 characters. #370 would probably need to be implemented first. Otherwise the user might come up with a long and secure to keep pwquality happy, but overlook the fact that the actual used password is much shorter. It should probably also just be a warning when pwquality fails, not an error, given that it is difficult to get a good password with so few characters. |
Yes, due to the VNC protocol, the actual length of the VNC password used is 8 characters. |
According to your opinion, when setting a password, add an 8-character limit. |
|
@CendioOssman Could you please take a look and see if there is anything else that needs to be added. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks really good! There are some tweaks that are needed, though. Please have a look at my comments.
unix/vncpasswd/vncpasswd.cxx
Outdated
pwquality_set_int_value(pwq, PWQ_SETTING_MIN_LENGTH, 6); | ||
pwquality_set_int_value(pwq, PWQ_SETTING_MAX_SEQUENCE, 8); | ||
pwquality_set_int_value(pwq, PWQ_SETTING_MAX_REPEAT, 1); | ||
pwquality_set_int_value(pwq, PWQ_SETTING_MIN_CLASS, 3); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem proper to override. Isn't this configured by the system administrator in /etc/security/pwquality.conf
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the rules specified in the code for the libpwquality library.
Instead of using the libpwquality.cn configuration file.
I think these two are independent, so there should be no rewriting or conflict.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The man page for pwquality.conf
states:
pwquality.conf provides a way to configure the default password quality requirements for the system
passwords. This file is read by the libpwquality library and utilities that use this library for checking
and generating passwords.
So I think it would be very surprising for a sysadmin if those settings aren't respected by vncpasswd.
Please remove all the overrides and we can use the settings that libpwquality has loaded from the system configuration.
unix/vncpasswd/vncpasswd.cxx
Outdated
exit(1); | ||
} | ||
fprintf(stderr,"Password must be at least 6 characters - try again\n"); | ||
fprintf(stderr,_("Password must be at least 6 characters - try again\n")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now policy that could conflict with what pwquality wants. It should be removed if we always use pwquality, or used as a fallback if pwquality ends up being optional.
continue; | ||
} | ||
|
||
if (first.size() > 8) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! But could you split this to a separate commit? It's independent of using pwquality.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps they should be submitted separately
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A separate commit, yes. But you don't need to open a separate PR for such a small fix.
@CendioOssman |
unix/vncpasswd/CMakeLists.txt
Outdated
# check for pwquality password check support | ||
option(ENABLE_PWQUALITY "Enable pwquality password check" ON) | ||
if(ENABLE_PWQUALITY) | ||
if(UNIX) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps this if()
should be around everything, so we don't annoy Windows users with this setting?
Could you please take a moment to review again . @CendioOssman |
@CendioOssman Please review again. Looking forward to your reply and suggestions. |
Sorry for the late response. I've been away for a few weeks. There are still some open requests that haven't been addressed. Please have a look at them and see if we can get the last bits fixed. |
Yes, that is correct.
If the system policy doesn't allow passwords that are compatible with VNC, then the system should refuse to continue. It shouldn't silently change the policy and allow things that the user thinks have been blocked. As for only 8 characters being used, your previous suggestion had a check for that. But it seems to have been dropped? |
Okay, then use the default pwquality.conf rule
Because it's independent of using pwquality |
Yes, but the commit can still be part of this pull request. |
Use the library pwquality to check password complexity and improve security. Additionally, optional enable support is also set in CMake.
Password should not be greater than 8 characters. Because only 8 valid characters are used.
@CendioOssman According to your suggestion, it has been modified. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Thank you for getting this done.
Add a password complexity strategy for VNC user authentication
enhance password quality verification checks, and enhance security
Additionally, Chinese translation has been added