Thanks for this topic, also, I think it is similar situation when
talking about keystone users, not only the instances's password.
在 2015/6/3 17:48, 郑振宇 写道:
Hi All,
The current OpenStack does not provide user password complexity
verification option.
When performing actions such as create instances, evacuate instances,
rebuild instances, rescue instances and update instances' admin
password. The complexity of user provided admin password has not been
verified. This can cause security problems.
One solution will be adding a configuration option:
using_complex_admin_password = True, if this option is set in
configure file by administrator, then Nova will perform password
complexity checks, the check standards can be set to following the IT
industry general standard, if the provided admin password is not
complex enough, an exception will be throw. If this option is not set
in configure file, then the complexity check will be skipped.
When the user dose not provide admin password, generate_password() in
utils.py is used to generate an admin password. Generate_password()
now uses two password symbol groups: default and easier, the default
symbol group contains numbers, upper case letters and small case
letters. the easier symbol group contains only numbers and upper case
letters. The generated password is not complex enough and can also
cause security problems.
One possible solution is to add a new symbol group:
STRONGER_PASSWORD_SYMBOLS which contains numbers, upper case letters,
lower case letters and also special characters such as
`~!@#$%^&*()-_=+ and space. Then adding a new option in configuration
file: generate_strong_password = True, when this option is set, nova
will generate password using STRONGER_PASSWORD_SYMBOLS symbol group
and with longer password length. If this option is not set, the
password will be generated using the default symbol group and default
length.
AWS allows the selection of password policy to configure which kind of
password complexity is used in the cloud. Please see:
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
And about the standard of complexity, Microsoft also have an advise
about it, please see:
https://technet.microsoft.com/en-us/library/hh994562%28v=ws.10%29.aspx
Thanks,
BR,
Zhenyu Zheng
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
