Needs tests : nethserver-password

testing

(Stéphane de Labrusse) #1

A module to adjust the password policies.

You can modify the available properties of passwordstrength

# config show passwordstrength 
passwordstrength=configuration
    Admin=strong
    Ibays=strong
    MaxPassAge=180
    MinPassAge=0
    PassExpires=yes
    PassWarning=7
    Users=strong

You can also for each user disable the password Expiration, you need to go to the User Panel (service Table)

After All, keep in mind that a strong password and a short password expiration are annoying but secure :slight_smile:

yum install http://mirror.de-labrusse.fr/nethserver/nethserver-password/nethserver-password-1.0.2-1.ns6.noarch.rpm

srpm http://mirror.de-labrusse.fr/nethserver/nethserver-password/

and source https://github.com/stephdl/nethserver-password/tree/ns6


Can you change the root password on the website?
(Alessio Fattorini) #2

Looking forward To test this module really soon!!
Nice!! Thank you steph!!


(Michele Bortolotto) #3

Great work as usual @stephdl


(Stéphane de Labrusse) #4

In all humility, don’t be too much confident since I found bugs in nethserver-phpsettings

lack of italian translation (even written in english)
lack of Help pages (I submitted a bug)

Try to click everywhere and also take a look in logs after the installation and also during the usage of the module.

I’m just a man :slight_smile:


(Stéphane de Labrusse) #5

A minor version, Now I take consideration of imported users from a CSV file.


(Giacomo Sanchietti) #6

There is already a tool:
http://docs.nethserver.org/en/latest/accounts.html#import-users


(Giacomo Sanchietti) #7

Thanks for the work, I just reviewed the code (but I didn’t test it), and it looks fine.
I’m wondering about to include the module as a core package.

I’ve just to point out a couple of things:

  • password policy for ibays is been deleted: the password is only a HTTP password and doesn’t have any security concern (see: http://dev.nethserver.org/issues/3094)
  • probably we can remove nethserver-password-PassExpires2yes-conf and implement it as a simple migration fragment
  • what about adding a yellow todo-box when password strength is disabled? I’d like to always remember the admin his/her own mistakes :stuck_out_tongue:

(Alessio Fattorini) #8

Like it, thumbs up! :+1:


(Alessio Fattorini) #9

@stephdl are thinking to a webui for that import tool?


(Gerald) #10

Perfekt, great tool!


(Stéphane de Labrusse) #11

@giacomo That’s nice if the code can be imported as a core feature, no problem with that…I’m only wondering wich core rpm you want that I do a pull request ???

Concerning :

  • nethserver-password-PassExpires2yes-conf : If the code become a core feature then it needs to be integrated to anterior actions of events (user-modify and user-create). I prefer that the property ‘PassExpire’ is set to yes for each user, it is more clear.

  • The colouration, why not, no idea on how to do that, but seriously how much admins, do you think, will keep a strong passwordstrengh. I want to bet that a lot will set quickly to none. Maybe It is needed an intermediate level like it exists with SME Server.

  • The low level of Ibays password for the http access, makes me some interrogations. I do not understand why ? Moreover I would be happy if we can add some users and groups access to ibays with apache. I do love Webdav.

@alefattorini I’m not really enthusiast about a webui for importing users from csv files. Of course that can be done, but I don’t see a real value to a webUI like that. In fact it is destined to sysadmin, and IMHO, they have to use the command line for these tasks. Most of time, it is needed just one time per year, so…

In fact I would be more interested by a module with ddclient…I looked a bit and It could be relatively easy with nethserver-hosts. Either I could fork it, or doing a pull request.


(Alessio Fattorini) #12

Totally agree, mine was just a question to get your purpose :smile:

That’s a good idea I think, seen many request about this. What do you think @filippo_carletti ?


(Davide Principi) #13

It can be an opt-in RPM in base repos or installed from the Forge: I’d prefer keeping the password policy far from inexperienced hands :wink:


(Giacomo Sanchietti) #14

We will add your package among the core packages, maybe directly inside nethserver-iso yum group.

It’s not necessary to have an explicit property. I would like to propose “Yes” as default inside the User configuration page. So each new user will have PassExpire set, but the old ones will be untouched.
If you need help for the web interface, @davidep will be glad to assist you :smile:

We can do it. There are some simple API: http://docs.nethserver.org/projects/nethserver-devel/en/latest/todos_api.html?highlight=todo
I don’t see any reason to lower the password strength policy (beside develop environment).
The administrator should really really really discourage to do so! :smiley:

In the old SME implementation, ibays were system users so the password needed to be strong (we saw many attacks based on weak ibay passwords!). But with the new implementation this is not needed: if the password is stolen, an attacker can only access a read-only web directory.
By the way, we can re-add a check in the future maybe only at web interface level.


(Stéphane de Labrusse) #15

Well, Thanks for the documentation link Giacomo, I will read it.

I’m not sure that davidep is completely agree to get it in the core base, anyway it is not a problem.


(Davide Principi) #16

Thanks Stéphane for highlighting my position :blush: Just to clarify it:

  • I would not implement a shortcut to change the password policy, anyway the support team says a such feature can help and they asks for it. As @giacomo said: The administrator should really really really discouraged to do so!; that means a scaring message must be displayed at least :wink:
  • As the feature is accepted, I have no problem to include it into a new core package: if possible, I’d limit any modification to existing packages.
  • I’d prefer to make this an optional package, available from the “Software Center” page.

(Davide Principi) #17

I love it too. We were thinking about implementing it …when ownCloud came in :smile:


(Stéphane de Labrusse) #18

New version, the ibay setting has been removed since obsoleted


(Davide Principi) #19

Hi @stephdl I’ve opened the issue 3125 on Dev, to track the advancement of this feature.

Let’s continue the discussion there!


Password strenght check