Bug#665446: gosa+kerberos should enforce correct passwords

To: 665446@bugs.debian.org
Subject: Bug#665446: gosa+kerberos should enforce correct passwords
From: Guido Berhoerster <guido@berhoerster.name>
Date: Wed, 11 Oct 2023 15:04:10 +0200
Message-id: <[🔎] ffb51847-f37d-441f-b8fe-73491e91bedc@berhoerster.name>
Reply-to: Guido Berhoerster <guido@berhoerster.name>, 665446@bugs.debian.org
In-reply-to: <201203241134.58292.holger@layer-acht.org>
References: <4F6C2963.9020204@gmail.com> <201203240923.43686.holger@layer-acht.org> <20120324100114.GA3657@schweer-online.local> <201203241134.58292.holger@layer-acht.org> <201203241134.58292.holger@layer-acht.org> <201203241134.58292.holger@layer-acht.org>

There are currently potentially four different password policies
relevant for users:

1. gosa²/LDAP
2. Kerberos
3. Samba
4. PAM

1. gosa²

gosa² has the following settings affecting password complexity:

- passwordMinLength: minimum length (default: 5)
- passwordMinDiffer: minimum number of characters that need to differ
  from the previous password, probably irrelevant for non-plaintext
  passwords (default: 2)

However, when using the default theme the users plugin seems reads "The
password must have at least 1 characters" but it actually requires at
least 8 characters so there is a bug.

In addition it has its own complexity requirements, the password must
contain at least one upper case, one lower case character, a digit, and
a special character.

When using the classic theme, the users plugin does not enforce a
password length or any complexity rules at all.

So if we want a unified password policy enforced by gosa we need to
fix those bugs first and make any rules actually configurable. A strong
password following the rules of the plugin using the default theme
should probably have 12 or 14 characters. I don't think the above
character class rules are actually useful.

2. Kerberos

The kerberos minimum password length is configurable, it is currently
set to 5 characters. It also allows to set a policy on how many character
classes need to be represented in a password, though it is deactivated
by default:

    kadmin.local:  getpol users
    Policy: users
    Maximum password life: 0 days 00:00:00
    Minimum password life: 0 days 00:00:00
    Minimum password length: 5
    Minimum number of password character classes: 1
    Number of old keys kept: 1
    Maximum password failures before lockout: 0
    Password failure count reset interval: 0 days 00:00:00
    Password lockout duration: 0 days 00:00:00

3. Samba

It is possible to enforce complexity through an external script which
performs a check on password change. This requires the setting "check
password script" in smb.conf.  Internal password policies are only
possible in Samba-AD mode.

4. PAM

There are external PAM modules like libpam-pwquality available which can
enforce complexity in a fine-grained way.  Another possibility would be
to invoke a script (e.g. through pam_python), possibly shared with one
used by Samba.

So the question is whether we want to rely solely on gosa to enforce
password complexity or if we want to configure all of the above so each
one enforces the common policy on its own?
In case of the former, what about the gosa option to have the user
change his password on the next login?


-- 
Guido Berhoerster

Reply to:

Prev by Date: Processed: Bug#926388 marked as pending in debian-edu-config
Next by Date: Gaia Sky
Previous by thread: Processed: Bug#926388 marked as pending in debian-edu-config
Next by thread: Gaia Sky
Index(es):
- Date
- Thread