[jboss-as7-dev] Relaxing password requirements for add-user script?

Andrig Miller anmiller at redhat.com
Thu Oct 11 10:09:42 EDT 2012 


----- Original Message -----
> From: "Darran Lofthouse" <darran.lofthouse at jboss.com>
> To: "Andrig Miller" <anmiller at redhat.com>
> Cc: "Jason Greene" <jason.greene at redhat.com>, jboss-as7-dev at lists.jboss.org
> Sent: Thursday, October 11, 2012 3:01:57 AM
> Subject: Re: [jboss-as7-dev] Relaxing password requirements for	add-user	script?
> 
> Hi Andy,
> 
> It may be missing at the moment but this complexity check was
> supposed
> to have a modifiable policy file that the administrator could update
> to
> specify the rules they really want.  How would any auditors consider
> that?
> 

That, in my opinion, would be fine.  The only issue would be how you protect that policy file from be tampered with, but this is true of all configuration.

> To me the modifying of a policy to weaken it is a deliberate act by
> an
> administrator, that same administrator also has the capability to
> reconfigure the server to use BASIC authentication or store the
> passwords in plain text instead of pre-hashed.
> 
> However the --force option does feel too easy for someone to use and
> then forget they forced through a weak password just to get their
> production server online.
> 

Agreed.

Andy

> Regards,
> Darran Lofthouse.
> 
> 
> On 10/10/2012 08:29 PM, Andrig Miller wrote:
> > Not to my knowledge.  My point, is whenever you give have these
> > allowances, you make the customer have to prove to the auditors
> > that you are not using them.
> >
> > Auditors love these kinds of things, because it gives them
> > something to poke into.  More billable hours ;-)
> >
> > Andy
> >
> > ----- Original Message -----
> >> From: "Jason Greene" <jason.greene at redhat.com>
> >> To: "Brian Stansberry" <brian.stansberry at redhat.com>
> >> Cc: jboss-as7-dev at lists.jboss.org
> >> Sent: Wednesday, October 10, 2012 1:22:32 PM
> >> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
> >> 	add-user	script?
> >>
> >> As someone mentioned earlier RHEL lets you set a bad password (if
> >> you
> >> agree to it). Is there a special compliance distro of RHEL?
> >> On Oct 10, 2012, at 12:45 PM, Brian Stansberry
> >> <brian.stansberry at redhat.com> wrote:
> >>
> >>> Interesting. This enforcing of password rules is new in AS
> >>> master;
> >>> AFAIK
> >>> we've never had this kind of thing before.
> >>>
> >>> On 10/10/12 12:19 PM, Andrig Miller wrote:
> >>>> We might run afoul of PCI and SOX requirements for customers
> >>>> with
> >>>> that kind of option.
> >>>>
> >>>> Personally, I think just having some text that says the password
> >>>> requirements when you create a user, to make it more usable is
> >>>> what we should do, and not relax the requirements.
> >>>>
> >>>> Andy
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Jason Greene" <jason.greene at redhat.com>
> >>>>> To: "Darran Lofthouse" <darran.lofthouse at jboss.com>
> >>>>> Cc: jboss-as7-dev at lists.jboss.org
> >>>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
> >>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
> >>>>> add-user	script?
> >>>>>
> >>>>> Maybe we should allow a --force option, which bypasses that
> >>>>> stuff?
> >>>>>
> >>>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
> >>>>> <darran.lofthouse at jboss.com> wrote:
> >>>>>
> >>>>>> Agreed, a prompt would help so a feature request would be
> >>>>>> welcome.
> >>>>>>
> >>>>>> This will be an interesting contributor task I think as we
> >>>>>> would
> >>>>>> need to
> >>>>>> be mapping between the configured policy and appropriate log
> >>>>>> messages.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Darran Lofthouse.
> >>>>>>
> >>>>>>
> >>>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
> >>>>>>> Also, at the very least this should tell you the requirements
> >>>>>>> before you
> >>>>>>> have to go through the trial and error process to figure out
> >>>>>>> what
> >>>>>>> they are.
> >>>>>>>
> >>>>>>> Stuart
> >>>>>>>
> >>>>>>> Jaikiran Pai wrote:
> >>>>>>>> I think it's been a while since I used the add-user script
> >>>>>>>> to
> >>>>>>>> add
> >>>>>>>> application users. Turns out the password for the new user
> >>>>>>>> is
> >>>>>>>> now
> >>>>>>>> checked for strength and the rules are a bit annoying [1],
> >>>>>>>> at
> >>>>>>>> least for
> >>>>>>>> me. As a developer, I just want to test a scenario for EJB
> >>>>>>>> invocations.
> >>>>>>>> I tried using "test" as a password and it failed with "too
> >>>>>>>> few
> >>>>>>>> characters". Then I tried "test12345" failed again with
> >>>>>>>> "your
> >>>>>>>> password
> >>>>>>>> should have combination of upper case, lower case, ...". I
> >>>>>>>> never
> >>>>>>>> have
> >>>>>>>> understood this specific requirement of passwords being
> >>>>>>>> forced
> >>>>>>>> to
> >>>>>>>> be of
> >>>>>>>> certain type (many sites do it). So, would it be possible to
> >>>>>>>> somehow
> >>>>>>>> relax this requirement?
> >>>>>>>>
> >>>>>>>> I'm not a security expert, but is this "your password has to
> >>>>>>>> have
> >>>>>>>> upper
> >>>>>>>> case, lower case, digit, special char" requirement really
> >>>>>>>> worth
> >>>>>>>> it in a
> >>>>>>>> real application?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> [1]
> >>>>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
> >>>>>>>>
> >>>>>>>> -Jaikiran
> >>>>>>>> _______________________________________________
> >>>>>>>> jboss-as7-dev mailing list
> >>>>>>>> jboss-as7-dev at lists.jboss.org
> >>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>>>> _______________________________________________
> >>>>>>> jboss-as7-dev mailing list
> >>>>>>> jboss-as7-dev at lists.jboss.org
> >>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>>>>
> >>>>>> _______________________________________________
> >>>>>> jboss-as7-dev mailing list
> >>>>>> jboss-as7-dev at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> jboss-as7-dev mailing list
> >>>>> jboss-as7-dev at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>>
> >>>> _______________________________________________
> >>>> jboss-as7-dev mailing list
> >>>> jboss-as7-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>
> >>>
> >>>
> >>> --
> >>> Brian Stansberry
> >>> Principal Software Engineer
> >>> JBoss by Red Hat
> >>> _______________________________________________
> >>> jboss-as7-dev mailing list
> >>> jboss-as7-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> >>
> >> _______________________________________________
> >> jboss-as7-dev mailing list
> >> jboss-as7-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> > _______________________________________________
> > jboss-as7-dev mailing list
> > jboss-as7-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >
>

More information about the jboss-as7-dev mailing list