URL: https://github.com/freeipa/freeipa/pull/443 Author: stlaz Title: #443: Stronger check for DM password during server install Action: opened
PR body: """ DM password is used as an NSS database password during server installation, therefore it must comply to NSS database requirements for password in FIPS. https://fedorahosted.org/freeipa/ticket/5695 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/443/head:pr443 git checkout pr443
From 05a7a6c92a8360bd33e843619e789003735abc3f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 12 Dec 2016 16:58:27 +0100 Subject: [PATCH] Stronger check for DM password during server install https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/server/install.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index ef943f7..9ecbd01 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -54,6 +54,22 @@ SYSRESTORE_DIR_PATH = paths.SYSRESTORE +def check_password_fips_nssdb_compatible(password): + """ + Check whether the given password can be used for NSSDB setup in FIPS mode + """ + gotnumeric = any(c.isdigit() for c in password[:-1]) + gotupper = any(c.isupper() for c in password[1:]) + gotlower = any(c.islower() for c in password) + gotspecial = password.isalnum() + classes = sum([gotnumeric, gotupper, gotlower, gotspecial]) + if classes < 3: + raise ValueError("Password must contain at least one character " + "from each of three out of these four character " + "classes: numeric, uppercase letters, lowercase " + "letters and special symbols.") + + def validate_dm_password(password): if len(password) < 8: raise ValueError("Password must be at least 8 characters long") @@ -78,6 +94,11 @@ def validate_dm_password(password): if password.strip() != password: raise ValueError('Password must not start or end with whitespace.') + # DM password is used somewhere during install to set up an NSS database + # therefore it must comply to NSS in FIPS password requirements + if tasks.is_fips_enabled(): + check_password_fips_nssdb_compatible(password) + def validate_admin_password(password): if len(password) < 8:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code