Hi Andy,
It may be missing at the moment but this complexity check was supposed
to have a modifiable policy file that the administrator could update to
specify the rules they really want. How would any auditors consider that?
To me the modifying of a policy to weaken it is a deliberate act by an
administrator, that same administrator also has the capability to
reconfigure the server to use BASIC authentication or store the
passwords in plain text instead of pre-hashed.
However the --force option does feel too easy for someone to use and
then forget they forced through a weak password just to get their
production server online.
Regards,
Darran Lofthouse.
On 10/10/2012 08:29 PM, Andrig Miller wrote:
Not to my knowledge. My point, is whenever you give have these
allowances, you make the customer have to prove to the auditors that you are not using
them.
Auditors love these kinds of things, because it gives them something to poke into. More
billable hours ;-)
Andy
----- Original Message -----
> From: "Jason Greene" <jason.greene(a)redhat.com>
> To: "Brian Stansberry" <brian.stansberry(a)redhat.com>
> Cc: jboss-as7-dev(a)lists.jboss.org
> Sent: Wednesday, October 10, 2012 1:22:32 PM
> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>
> As someone mentioned earlier RHEL lets you set a bad password (if you
> agree to it). Is there a special compliance distro of RHEL?
> On Oct 10, 2012, at 12:45 PM, Brian Stansberry
> <brian.stansberry(a)redhat.com> wrote:
>
>> Interesting. This enforcing of password rules is new in AS master;
>> AFAIK
>> we've never had this kind of thing before.
>>
>> On 10/10/12 12:19 PM, Andrig Miller wrote:
>>> We might run afoul of PCI and SOX requirements for customers with
>>> that kind of option.
>>>
>>> Personally, I think just having some text that says the password
>>> requirements when you create a user, to make it more usable is
>>> what we should do, and not relax the requirements.
>>>
>>> Andy
>>>
>>> ----- Original Message -----
>>>> From: "Jason Greene" <jason.greene(a)redhat.com>
>>>> To: "Darran Lofthouse" <darran.lofthouse(a)jboss.com>
>>>> Cc: jboss-as7-dev(a)lists.jboss.org
>>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
>>>> add-user script?
>>>>
>>>> Maybe we should allow a --force option, which bypasses that
>>>> stuff?
>>>>
>>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>>>> <darran.lofthouse(a)jboss.com> wrote:
>>>>
>>>>> Agreed, a prompt would help so a feature request would be
>>>>> welcome.
>>>>>
>>>>> This will be an interesting contributor task I think as we would
>>>>> need to
>>>>> be mapping between the configured policy and appropriate log
>>>>> messages.
>>>>>
>>>>> Regards,
>>>>> Darran Lofthouse.
>>>>>
>>>>>
>>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>>>> Also, at the very least this should tell you the requirements
>>>>>> before you
>>>>>> have to go through the trial and error process to figure out
>>>>>> what
>>>>>> they are.
>>>>>>
>>>>>> Stuart
>>>>>>
>>>>>> Jaikiran Pai wrote:
>>>>>>> I think it's been a while since I used the add-user
script to
>>>>>>> add
>>>>>>> application users. Turns out the password for the new user
is
>>>>>>> now
>>>>>>> checked for strength and the rules are a bit annoying [1],
at
>>>>>>> least for
>>>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>>>> invocations.
>>>>>>> I tried using "test" as a password and it failed
with "too few
>>>>>>> characters". Then I tried "test12345" failed
again with "your
>>>>>>> password
>>>>>>> should have combination of upper case, lower case, ...".
I
>>>>>>> never
>>>>>>> have
>>>>>>> understood this specific requirement of passwords being
forced
>>>>>>> to
>>>>>>> be of
>>>>>>> certain type (many sites do it). So, would it be possible to
>>>>>>> somehow
>>>>>>> relax this requirement?
>>>>>>>
>>>>>>> I'm not a security expert, but is this "your
password has to
>>>>>>> have
>>>>>>> upper
>>>>>>> case, lower case, digit, special char" requirement
really
>>>>>>> worth
>>>>>>> it in a
>>>>>>> real application?
>>>>>>>
>>>>>>>
>>>>>>> [1]
>>>>>>>
https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&pa...
>>>>>>>
>>>>>>> -Jaikiran
>>>>>>> _______________________________________________
>>>>>>> jboss-as7-dev mailing list
>>>>>>> jboss-as7-dev(a)lists.jboss.org
>>>>>>>
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>> _______________________________________________
>>>>>> jboss-as7-dev mailing list
>>>>>> jboss-as7-dev(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>
>>>>> _______________________________________________
>>>>> jboss-as7-dev mailing list
>>>>> jboss-as7-dev(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>
>>>>
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> jboss-as7-dev(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> jboss-as7-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>>
>>
>> --
>> Brian Stansberry
>> Principal Software Engineer
>> JBoss by Red Hat
>> _______________________________________________
>> jboss-as7-dev mailing list
>> jboss-as7-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
>
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
jboss-as7-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev