[Freeipa-users] Password Complexity Requirements Seems Insufficient

Rob Crittenden rcritten at redhat.com
Thu Oct 13 14:31:03 UTC 2016 

Ernedin Zajko wrote:
> Hi Anton,
>
> maybe you can "talk" directly to ds:
> http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html
> regards,

That won't work. IPA re-implements password policy because it is baked 
into 389-ds and not plugable or extensible.

There are some open tickets for enhancing IPA password policies but 
other features have taken precedence thus far:

https://fedorahosted.org/freeipa/ticket/2445
https://fedorahosted.org/freeipa/ticket/5948

rob

>
> --- Ernedin ZAJKO
>   ezajko at root.ba
>
>> 340282366920938463463374607431768211456
>
>
>
> On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister <listeranon at gmail.com> wrote:
>> Unfortunately, policy and regulation often lag behind current theory by
>> several decades. For what it's worth, I'd second being able to set more
>> complicated policies as a useful feature.
>>
>>
>> On Oct 12, 2016 6:38 PM, "Simpson Lachlan" <Lachlan.Simpson at petermac.org>
>> wrote:
>>>
>>>> -----Original Message-----
>>>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>>>> bounces at redhat.com] On Behalf Of Bennett, Chip
>>>> Sent: Thursday, 13 October 2016 7:21 AM
>>>> To: Florence Blanc-Renaud; freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
>>>> Insufficient
>>>>
>>>> Flo,
>>>>
>>>> Thanks for getting back to me.  I had seen this in the documentation.
>>>> I was just
>>>> hoping that I was missing something.   I guess I'm just surprised that a
>>>> product
>>>> designed to manage authentication wouldn't have a way to be more
>>>> specific in the
>>>> complexity requirements.
>>>
>>>
>>> I don't know. Those type of complexity requirements are multifaceted,
>>> complex and somewhat arbitrary. Given that each then requires regex, I'm
>>> quite happy that the devs focus on getting other aspects of FreeIPA to work
>>> over password complexity.
>>>
>>> As xkcd noted a couple of years ago, password length is better for
>>> security than anything else.
>>>
>>> Complex arrangements of different character classes is neither human or UX
>>> friendly nor where contemporary security theory is focused - try 2FA,
>>> public/private keys, etc. While I understand that large organisations have
>>> policy that often drags well behind contemporary theory, I don't think it's
>>> fair to expect software to also allow for that.
>>>
>>> Cheers
>>> L.
>>>
>>>
>>>
>>>
>>>
>>>
>>>>
>>>> Thanks again!
>>>> Chip
>>>>
>>>> -----Original Message-----
>>>> From: Florence Blanc-Renaud [mailto:flo at redhat.com]
>>>> Sent: Wednesday, October 12, 2016 3:18 PM
>>>> To: Bennett, Chip <cbennett at ftdi.com>; freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
>>>> Insufficient
>>>>
>>>> On 10/11/2016 07:36 PM, Bennett, Chip wrote:
>>>>> I just joined this list, so if this question has been asked before
>>>>> (and I'll bet it has), I apologize in advance.
>>>>>
>>>>>
>>>>>
>>>>> A google search was unrevealing, so I'm asking here: we're running
>>>>> FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
>>>>> complexity requirements are limited to setting the number of character
>>>>> classes to require, i.e. setting it to "2" would require your new
>>>>> password to be any two of the character classes.
>>>>>
>>>>>
>>>>>
>>>>> What if you wanted new passwords to meet specific class requirements,
>>>>> i.e. a mix of UL, LC, and numbers.  It looks like you would use a
>>>>> value of "3" to accomplish this, but that would also allow UC, LC, and
>>>>> special, or LC, numbers, and special, but you don't want to allow the
>>>>> those:  how would you specify that?
>>>>>
>>>> Hi,
>>>>
>>>> as far as I know, it is only possible to specify the number of different
>>>> character
>>>> classes. The doc chapter "Creating Password Policies in the Web UI" [1]
>>>> describes
>>>> the following:
>>>> ---
>>>> Character classes sets the number of different categories of character
>>>> that must be
>>>> used in the password. This does not set which classes must be used; it
>>>> sets the
>>>> number of different (unspecified) classes which must be used in a
>>>> password. For
>>>> example, a character class can be a number, special character, or
>>>> capital; the
>>>> complete list of categories is in Table 22.1, "Password Policy
>>>> Settings". This is part
>>>> of setting the complexity requirements.
>>>> ---
>>>>
>>>> hope this clarifies,
>>>> Flo
>>>>
>>>> [1]
>>>> https://access.redhat.com/documentation/en-
>>>>
>>>> US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>>>>
>>>> Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht
>>>> ml#creating-group-policy-ui
>>>>
>>>>
>>>>>
>>>>>
>>>>> Also, what if you had a requirement for more than one of the character
>>>>> classes, i.e. you want to require two UC characters or two special
>>>>> characters?
>>>>>
>>>>>
>>>>>
>>>>> Thanks in advance for the help,
>>>>>
>>>>> Chip Bennett
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> This message is solely for the intended recipient(s) and may contain
>>>>> confidential and privileged information. Any unauthorized review, use,
>>>>> disclosure or distribution is prohibited.
>>>>>
>>>>>
>>>>
>>>>
>>>> This message is solely for the intended recipient(s) and may contain
>>>> confidential
>>>> and privileged information.
>>>> Any unauthorized review, use, disclosure or distribution is prohibited.
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>> This email (including any attachments or links) may contain
>>> confidential and/or legally privileged information and is
>>> intended only to be read or used by the addressee.  If you
>>> are not the intended addressee, any use, distribution,
>>> disclosure or copying of this email is strictly
>>> prohibited.
>>> Confidentiality and legal privilege attached to this email
>>> (including any attachments) are not waived or lost by
>>> reason of its mistaken delivery to you.
>>> If you have received this email in error, please delete it
>>> and notify us immediately by telephone or email.  Peter
>>> MacCallum Cancer Centre provides no guarantee that this
>>> transmission is free of virus or that it has not been
>>> intercepted or altered and will not be liable for any delay
>>> in its receipt.
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list