https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
Ryan (Rjd0060) changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
--- Comment #12 from Andreas F. Borchert ---
I would like to second Neozoon in his comment above.
The logins of the OTRS admins are well known. This discussion is in the public.
To set PasswordMaxLoginFailed is an open invitation for the next
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
--- Comment #11 from Andreas F. Borchert ---
I am not convinced that security is improved by setting
PasswordMaxValidTimeInDays to low values as suggested, i.e. 180 days.
Frequently enforced password changes force people to write their password
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
Neozoon changed:
What|Removed |Added
CC||neoz...@gmx.net
--- Comment #10 from Neozoon
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
--- Comment #9 from Jeff Green ---
Regarding PasswordMaxLoginFailed I squinted at code and config and the feature
does not appear to pay any attention to client host. I'm not sure whether
that's good or bad--if it were host-specific it would be
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
--- Comment #8 from Patrik ---
While I like the idea of PasswordMaxLoginFailed in principle (because you can
currently make endless attempts to crack an account), I see a problem with it
here. (To my dislike) the list of login names is publishe
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
--- Comment #7 from Emufarmers ---
To clarify, simply disabling accounts after x invalid logins presents a clear
DoS vector. Anything like this needs to be done on a per-hostname basis.
See https://bugzilla.wikimedia.org/show_bug.cgi?id=9816#
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
Emufarmers changed:
What|Removed |Added
CC||emufarm...@gmail.com
--- Comment #6 from
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
--- Comment #5 from Ryan (Rjd0060) ---
Sounds good to me. Is 5 a bit high for 'PasswordMaxLoginFailed'? I'd feel
better around...3. 4 if you insist. But that's just me.
--
You are receiving this mail because:
You are the assignee for the
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
--- Comment #4 from Jeff Green ---
There are some
configuration options to decide on. Here are the basics:
Enforce a password renewal after X (configurable) days.
Password-History to use the password X (configurable) times not to use again
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
Bug 61101 depends on bug 60271, which changed state.
Bug 60271 Summary: Upgrade OTRS to the latest 3.2.x version
https://bugzilla.wikimedia.org/show_bug.cgi?id=60271
What|Removed |Added
--
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
--- Comment #3 from Jeff Green ---
My vote is to keep OTRS as a standalone and use the Znuny4OTRS Password Policy
package.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
Andre Klapper changed:
What|Removed |Added
Priority|Unprioritized |Normal
Severity|normal
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
p858snake changed:
What|Removed |Added
CC||p858sn...@gmail.com
--- Comment #2 from p8
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
Martin Edenhofer changed:
What|Removed |Added
CC||m...@znuny.com
--- Comment #1 from
15 matches
Mail list logo