Repository: incubator-guacamole-manual Updated Branches: refs/heads/master 07e4ee423 -> b7dc148b5
GUACAMOLE-36: Document JDBC auth's password policy properties. Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/commit/b76c7f59 Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/tree/b76c7f59 Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/diff/b76c7f59 Branch: refs/heads/master Commit: b76c7f591be21587c0d4c5fad64178a71f43d8a2 Parents: 79ada45 Author: Michael Jumper <[email protected]> Authored: Tue Aug 23 12:11:33 2016 -0700 Committer: Michael Jumper <[email protected]> Committed: Wed Oct 19 23:08:32 2016 -0700 ---------------------------------------------------------------------- src/chapters/jdbc-auth.xml | 94 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/blob/b76c7f59/src/chapters/jdbc-auth.xml ---------------------------------------------------------------------- diff --git a/src/chapters/jdbc-auth.xml b/src/chapters/jdbc-auth.xml index e121409..5a0f236 100644 --- a/src/chapters/jdbc-auth.xml +++ b/src/chapters/jdbc-auth.xml @@ -455,6 +455,100 @@ postgresql-password: <replaceable>some_password</replaceable></programlisting> <para>Be sure to specify the correct username and password for the database user you created, and to specify the correct database. Authentication will not work if these parameters are not correct.</para> + <section> + <title>Enforcing password policies</title> + <para>Configuration options are available for enforcing rules intended to encourage + password complexity and regular changing of passwords. None of these options are + enabled by default, but can be selectively enabled through additional properties + in <filename>guacamole.properties</filename>.</para> + <section> + <title>Password complexity</title> + <para>Administrators can require that passwords have a certain level of + complexity, such as having both uppercase and lowercase letters ("multiple + case"), at least one digit, or at least one symbol, and can prohibit + passwords from containing the user's own username.</para> + <para>For the sake of password content, the database authentication defines a + "digit" as any numeric character. This takes non-English languages into + account, and is not be simply "0" thorough "9". There are quite a few <link + xlink:href="https://en.wikipedia.org/wiki/Numerals_in_Unicode";>numeric + characters defined by Unicode</link>. A "symbol" is defined as any + non-alphanumeric character - any character which Unicode does not define as + alphabetic or numeric.</para> + <para>The check for whether a password contains the user's own username is + performed in a case-insensitive manner. For example, if the user's username + is "phil", the passwords "ch!0roPhil" and "PHIL-o-dendr0n" would still be + prohibited.</para> + <informalexample> + <programlisting># MySQL +mysql-user-password-min-length: <replaceable>8</replaceable> +mysql-user-password-require-multiple-case: true +mysql-user-password-require-symbol: true +mysql-user-password-require-digit: true +mysql-user-password-prohibit-username: true + +# PostgreSQL +postgresql-user-password-min-length: <replaceable>8</replaceable> +postgresql-user-password-require-multiple-case: true +postgresql-user-password-require-symbol: true +postgresql-user-password-require-digit: true +postgresql-user-password-prohibit-username: true</programlisting> + </informalexample> + </section> + <section> + <title>Password age / expiration</title> + <para>"Password age" refers to two separate concepts:</para> + <orderedlist> + <listitem> + <para>Requiring users to change their password after a certain amount of + time has elapsed since the last password change (maximum password + age).</para> + </listitem> + <listitem> + <para>Preventing users from changing their password too frequently + (minimum password age).</para> + </listitem> + </orderedlist> + <para>In both cases, these values are specified in units of days, and are both + disabled by default.</para> + <para>While it may seem strange to prevent users from changing their password + too frequently, it does make sense if you are concerned that rapid password + changes may defeat password expiration (users could immediately change the + password back) or tracking of password history (users could cycle through + passwords until the history is exhausted and their old password is + back).</para> + <para>So that administrators can always intervene in the case that a password + needs to be reset despite restrictions, the minimum age restriction does not + apply to any user with permission to administer the system.</para> + <informalexample> + <programlisting># MySQL +mysql-user-password-min-age: <replaceable>7</replaceable> +mysql-user-password-max-age: <replaceable>90</replaceable> + +# PostgreSQL +postgresql-user-password-min-age: <replaceable>7</replaceable> +postgresql-user-password-max-age: <replaceable>90</replaceable></programlisting> + </informalexample> + </section> + <section> + <title>Preventing password reuse</title> + <para>If desired, Guacamole can keep track of each user's most recently used + passwords, and will prohibit reuse of those passwords until the password has + been changed sufficiently many times. By default, Guacamole will not keep + track of old passwords.</para> + <para>Note that these passwords are hashed in the same manner as each user's + current password. When a user's password is changed, the hash, salt, etc. + currently stored for that user is actually just copied verbatim (along with + a timestamp) into a list of historical passwords, with older entries from + this list being automatically deleted.</para> + <informalexample> + <programlisting># MySQL +mysql-user-password-history-size: <replaceable>6</replaceable> + +# PostgreSQL +postgresql-user-password-history-size: <replaceable>6</replaceable></programlisting> + </informalexample> + </section> + </section> <section xml:id="jdbc-auth-concurrency"> <title>Concurrent use of Guacamole connections</title> <para>The database authentication module provides configuration options to restrict
