[Freeipa-devel] [freeipa PR#443][synchronized] Stronger check for DM password during server install

Wed, 08 Feb 2017 07:33:37 -0800 

   URL: https://github.com/freeipa/freeipa/pull/443
Author: stlaz
 Title: #443: Stronger check for DM password during server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/443/head:pr443
git checkout pr443

From 70d790cc12020a852e1c67c72bb434770ed5cd16 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Mon, 12 Dec 2016 16:58:27 +0100
Subject: [PATCH] Stronger check for DM password during server install

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/server/install.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index ef943f7..2b0893e 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -54,6 +54,22 @@
 SYSRESTORE_DIR_PATH = paths.SYSRESTORE
 
 
+def check_password_fips_nssdb_compatible(password):
+    """
+    Check whether the given password can be used for NSSDB setup in FIPS mode
+    """
+    gotnumeric = any(c.isdigit() for c in password[:-1])
+    gotupper = any(c.isupper() for c in password[1:])
+    gotlower = any(c.islower() for c in password)
+    gotspecial = not password.isalnum()
+    classes = sum([gotnumeric, gotupper, gotlower, gotspecial])
+    if classes < 3:
+        raise ValueError("Password must contain at least one character "
+                         "from each of three out of these four character "
+                         "classes: numeric, uppercase letters, lowercase "
+                         "letters and special symbols.")
+
+
 def validate_dm_password(password):
     if len(password) < 8:
         raise ValueError("Password must be at least 8 characters long")
@@ -78,6 +94,11 @@ def validate_dm_password(password):
     if password.strip() != password:
         raise ValueError('Password must not start or end with whitespace.')
 
+    # DM password is used somewhere during install to set up an NSS database
+    # therefore it must comply to NSS in FIPS password requirements
+    if tasks.is_fips_enabled():
+        check_password_fips_nssdb_compatible(password)
+
 
 def validate_admin_password(password):
     if len(password) < 8:

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to