I've written up a basic design doc below of what I am proposing for FreeIPA.  This work has already been done in 389 Directory Server, and it can be easily ported to FreeIPA (which I am volunteering to do).   While there are other features we would like to add, these are the features that most customers are "asking" for today, and these are the features that we can easily "add" today.  Please look it over, and share your thoughts if this design is acceptable.



Enhance Password Policy Features in FreeIPA

Customers have been requesting a richer set of password policy syntax checking features.  Mainly everybody wants the feature set from pam_pwquality, and one particular customer has explicitly asked for a feature to reject duplicate sequences of a particular length.  Not all of the pam_pwquality features can be ported to FreeIPA because some of the features require you have the current password in clear text.  The following list contains the features that need to be added (and can be added) to FreeIPA.

New Feature List

- Palindrome Checks (on/off)- password can not be a palindrome. (pam_pwquality) - Sequence Checks (length) - password can not have a monotonic sequence (1234, abcd, 4321, dcba) of set length in password. (pam_pwquality) - Sequence Sets (length) -  password can not have duplicate monotonic sequences of set length:  ma123_123jF  (customer request) - Consecutive Character Classes (length) - Password can not have consecutive characters from the same class/category greater than the length.  If set to 3, then this password is invalid: azd5555_f  -> there are 4 consecutive digits which exceeds the limit of 3.  (pam_pwquality) - Dictionary Check (on/off) - Checks password against CrackLib. (pam_pwquality)     - Outstanding SELinux issue is blocking the dictionary check from working: https://Bugzilla.redhat.com/show_bug.cgi?id=1599726et - Dictionary Path (string) - Path to custom CrackLib dictionary files.  (pam_pwquality) - Bad Words (string) - space separated list of words that are not allowed to be in passwords.  (pam_pwquality) - User Attributes (string) - space separated list of attributes whose values (tokens of values) are not allowed in the new password.  (pam_pwquality)     - This requires another setting (krbPwdMinTokenLength) that does not currently exist in FreeIPA.
- Minimum number of digits (length) - (pam_pwquality)
- Minimum number of alphas (length) - (pam_pwquality)
- Minimum number of special characters (length) - (pam_pwquality)
- Minimum number of 8-bit characters (length) - (pam_pwquality)
- Minimum number of uppercase (length) - (pam_pwquality)
- Minimum number of lowercase (length) - (pam_pwquality)
- Maximum repeated characters (length) - (pam_pwquality)


Current FreeIPA Password Policy Configuration:

    dn: cn=global_policy,cn=MARKFREE.COM,cn=kerberos,dc=markfree,dc=com
    objectClass: top
    objectClass: nsContainer
    objectClass: krbPwdPolicy
    krbMinPwdLife: 3600
    krbPwdMinDiffChars: 0
    krbPwdMinLength: 8
    krbPwdHistoryLength: 0
    krbMaxPwdLife: 7776000
    krbPwdMaxFailure: 6
    krbPwdFailureCountInterval: 60
    krbPwdLockoutDuration: 600
    cn: global_policy

New Attributes to add to objectclass "krbPwdPolicy":

    krbPwdPalindrome: on
    krbPwdMaxSequence: 4
    krbPwdMaxSeqSets: 2
    krbPwdMaxCharClass: 3
    krbPwdMinDigits: 1
    krbPwdMinAlphas: 1
    krbPwdMinSpecial: 1
    krbPwdMin8bit: 0
    krbPwdMinUppers: 1
    krbPwdMinLowers: 1
    krbPwdMaxRepeated: 3
    krbPwdDictCheck: on
    krbPwdDictPath: /path/to/custom/cracklib/dict/files
    krbPwdBadWords: redhat fedora
    krbPwdUserAttrs: uid cn sn givenname mail
    krbPwdMinTokenLength: 3   **works only with "krbPwdUserAttrs".  Example: if any 3 consecutive characters from "uid" (and friends) are in the new password then it is rejected


Dictionary Checks require linking with CrackLib as follows:

    diff --git a/freeipa.spec.in b/freeipa.spec.in
    index 0ebc6df3e..ba573a00f 100755
    --- a/freeipa.spec.in
    +++ b/freeipa.spec.in
    @@ -148,6 +148,7 @@ BuildRequires:  libini_config-devel
     BuildRequires:  cyrus-sasl-devel
     %if ! %{ONLY_CLIENT}
     BuildRequires:  389-ds-base-devel >= %{ds_version}
    +BuildRequires:  cracklib-devel

    diff --git a/util/Makefile.am b/util/Makefile.am
    index be40e8699..5c24be2b9 100644
    --- a/util/Makefile.am
    +++ b/util/Makefile.am
    @@ -14,3 +14,4 @@ libutil_la_SOURCES =  ipa_krb5.c \

     libutil_la_LIBADD = $(CRYPTO_LIBS) $(KRB5_LIBS) $(LDAP_LIBS) $(NSS_LIBS)
    +libutil_la_LDFLAGS = -lcrack

pam_pwquality is open sourced and has been ported to 389 Directory Server.  The changes in 389 DS can basically be copied and pasted into FreeIPA source (around ipapwd_CheckPolicy() in daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c).  The major change here is that we need to provide the Slapi_Entry to ipapwd_CheckPolicy() so you can check its attributes/values for the "User Attribute" comparison feature (I've actually already coded this in a beta patch).

FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

Reply via email to