Needs tests : nethserver-password

Development Testing
1

A module to adjust the password policies.

You can modify the available properties of passwordstrength

# config show passwordstrength 
passwordstrength=configuration
    Admin=strong
    Ibays=strong
    MaxPassAge=180
    MinPassAge=0
    PassExpires=yes
    PassWarning=7
    Users=strong

You can also for each user disable the password Expiration, you need to go to the User Panel (service Table)

After All, keep in mind that a strong password and a short password expiration are annoying but secure :slight_smile:

yum install http://mirror.de-labrusse.fr/nethserver/nethserver-password/nethserver-password-1.0.2-1.ns6.noarch.rpm

srpm http://mirror.de-labrusse.fr/nethserver/nethserver-password/

and source https://github.com/stephdl/nethserver-password/tree/ns6

2 Likes
2

Looking forward To test this module really soon!!
Nice!! Thank you steph!!

3

Great work as usual @stephdl

4

In all humility, don’t be too much confident since I found bugs in nethserver-phpsettings

lack of italian translation (even written in english)
lack of Help pages (I submitted a bug)

Try to click everywhere and also take a look in logs after the installation and also during the usage of the module.

I’m just a man :slight_smile:

1 Like
5

A minor version, Now I take consideration of imported users from a CSV file.

6

There is already a tool:
http://docs.nethserver.org/en/latest/accounts.html#import-users

7

Thanks for the work, I just reviewed the code (but I didn’t test it), and it looks fine.
I’m wondering about to include the module as a core package.

I’ve just to point out a couple of things:

  • password policy for ibays is been deleted: the password is only a HTTP password and doesn’t have any security concern (see: Bug #3094: Validation error setting ibay password - NethServer 6 - NethServer.org)
  • probably we can remove nethserver-password-PassExpires2yes-conf and implement it as a simple migration fragment
  • what about adding a yellow todo-box when password strength is disabled? I’d like to always remember the admin his/her own mistakes :stuck_out_tongue:
8

Like it, thumbs up! :+1:

9

@stephdl are thinking to a webui for that import tool?

10

Perfekt, great tool!

11

@giacomo That’s nice if the code can be imported as a core feature, no problem with that
I’m only wondering wich core rpm you want that I do a pull request ???

Concerning :

  • nethserver-password-PassExpires2yes-conf : If the code become a core feature then it needs to be integrated to anterior actions of events (user-modify and user-create). I prefer that the property ‘PassExpire’ is set to yes for each user, it is more clear.

  • The colouration, why not, no idea on how to do that, but seriously how much admins, do you think, will keep a strong passwordstrengh. I want to bet that a lot will set quickly to none. Maybe It is needed an intermediate level like it exists with SME Server.

  • The low level of Ibays password for the http access, makes me some interrogations. I do not understand why ? Moreover I would be happy if we can add some users and groups access to ibays with apache. I do love Webdav.

@alefattorini I’m not really enthusiast about a webui for importing users from csv files. Of course that can be done, but I don’t see a real value to a webUI like that. In fact it is destined to sysadmin, and IMHO, they have to use the command line for these tasks. Most of time, it is needed just one time per year, so


In fact I would be more interested by a module with ddclient
I looked a bit and It could be relatively easy with nethserver-hosts. Either I could fork it, or doing a pull request.

12

Totally agree, mine was just a question to get your purpose :smile:

That’s a good idea I think, seen many request about this. What do you think @filippo_carletti ?

13

It can be an opt-in RPM in base repos or installed from the Forge: I’d prefer keeping the password policy far from inexperienced hands :wink:

1 Like
14

We will add your package among the core packages, maybe directly inside nethserver-iso yum group.

It’s not necessary to have an explicit property. I would like to propose “Yes” as default inside the User configuration page. So each new user will have PassExpire set, but the old ones will be untouched.
If you need help for the web interface, @davidep will be glad to assist you :smile:

We can do it. There are some simple API: TODO API — NethServer 7 documentation
I don’t see any reason to lower the password strength policy (beside develop environment).
The administrator should really really really discourage to do so! :smiley:

In the old SME implementation, ibays were system users so the password needed to be strong (we saw many attacks based on weak ibay passwords!). But with the new implementation this is not needed: if the password is stolen, an attacker can only access a read-only web directory.
By the way, we can re-add a check in the future maybe only at web interface level.

15

Well, Thanks for the documentation link Giacomo, I will read it.

I’m not sure that davidep is completely agree to get it in the core base, anyway it is not a problem.

16

Thanks Stéphane for highlighting my position :blush: Just to clarify it:

  • I would not implement a shortcut to change the password policy, anyway the support team says a such feature can help and they asks for it. As @giacomo said: The administrator should really really really discouraged to do so!; that means a scaring message must be displayed at least :wink:
  • As the feature is accepted, I have no problem to include it into a new core package: if possible, I’d limit any modification to existing packages.
  • I’d prefer to make this an optional package, available from the “Software Center” page.
2 Likes
17

I love it too. We were thinking about implementing it 
when ownCloud came in :smile:

18

New version, the ibay setting has been removed since obsoleted

2 Likes
19

Hi @stephdl I’ve opened the issue 3125 on Dev, to track the advancement of this feature.

Let’s continue the discussion there!

1 Like