Univention Bugzilla – Bug 51994
univention.password.Check doesn't support configuration of standard MS password criteria
Last modified: 2021-05-27 11:35:49 CEST
Currently univention.password.Check doesn't support configuration of standard MS password criteria: https://docs.microsoft.com/de-de/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements We currently use cracklib, which doesn't offer the "minclass" configuration option which e.g. pam_cracklib offers. On the other hand cracklib checks to much, e.g. for palindrom and social security number format. We should provide a way for customers to configure the standard MS password criteria, even if they don't use Samba/AD. And those who do may benefit of this too, because univention.password.Check is used in UDM users/user to check passwords set via UMC/UDM-web or UDM-cli.
0aaaf6484b | support configuration of standard MS password criteria e18e151637 | Document password/quality/length/min 3881c479b7 | Improve precision of wording in documentation 7160910b24 | UCS 4.4-6 changelog entry 3897932352 | Improve consistency of descriptions in manual Package: univention-python Version: 12.0.0-21A~4.4.0.202009161627 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: univention-base-files Version: 8.0.0-9A~4.4.0.202009161629 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: univention-management-console Version: 11.0.4-107A~4.4.0.202009161631 Branch: ucs_4.4-0 Scope: ucs4.4-6
0c79a3bbbd | ucs-test changelog and PEP8 fix Package: ucs-test Version: 9.0.4-76A~4.4.0.202009171042 Branch: ucs_4.4-0 Scope: ucs4.4-6
Since we aim to publish this in scope ucs4.4-6, Erik recommended to revert the changes done in branch 4.4-5 too: 3dbcddb97b | Revert patch for branch 4.4-5
37e2de0108 | check for username must be case insensitive too f1194509d6 | Fix UCR variable description wording and typos 62e521cb96 | Pass displayName from users/user ands users/ldap to univention.password.Check() too 9d86785bbe | Skip pam_cracklib if password/quality/mspolicy='sufficient' 614f4e77d8 | Fix UMC password PAM stack (avoid "Errorcode 20") 1a25a0aa2e | Fix UMC password change error messages 55a9ccd3ba | Fix password change exception message (in univention-python) Package: univention-python Version: 12.0.0-23A~4.4.0.202009171825 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: univention-base-files Version: 8.0.0-10A~4.4.0.202009171315 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: univention-management-console Version: 11.0.4-109A~4.4.0.202009171827 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: univention-directory-manager-modules Version: 14.0.15-7A~4.4.0.202009171319 Branch: ucs_4.4-0 Scope: ucs4.4-6
Manual: [4.4-6 339828ff72] Bug #51994: fix typos
The tests show regressions. Setting a simple password like 'chocolate' does not work anymore with this change. Is changing the default password complexity intended, acceptable and in scope with this feature request? https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-6/job/AutotestJoin/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=master/testReport/60_umc/07_expired_password/master090/
> Is changing the default password complexity intended, acceptable and in scope with this feature request? It is none of that, it was just the pytest case that was leaking the UCR test setting. I fixed that now in the latest build of ucs-test. QA had two additional change requests which I also addressed in the following commits: 817bc773a6 | Avoid leaking test UCR settings 554f483ed5 | Support explicit username passing to Check.check() 544a7c46bb | Pass username to univention.password.Check() too 5b15ebab6c | Revert changes to UMC PAM stack, it didn't help. Package: univention-python Version: 12.0.0-24A~4.4.0.202009181123 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: univention-management-console Version: 11.0.4-110A~4.4.0.202009181126 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: univention-directory-manager-modules Version: 14.0.15-8A~4.4.0.202009181127 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: ucs-test Version: 9.0.4-77A~4.4.0.202009181129 Branch: ucs_4.4-0 Scope: ucs4.4-6
67c8d25582 | Version bump for 4.4-6 to comply with UCS package versioning policy Package: univention-python Version: 12.0.1-1A~4.4.0.202009181246 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: univention-base-files Version: 8.0.1-1A~4.4.0.202009181249 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: univention-management-console Version: 11.0.5-1A~4.4.0.202009181251 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: univention-directory-manager-modules Version: 14.0.16-1A~4.4.0.202009181252 Branch: ucs_4.4-0 Scope: ucs4.4-6 Package: ucs-test Version: 9.0.1-1A~4.4.0.202009181254 Branch: ucs_4.4-0 Scope: ucs4.4-6
b6a9a311e2 | Fix version bump Package: ucs-test Version: 9.0.5-1A~4.4.0.202009181258 Branch: ucs_4.4-0 Scope: ucs4.4-6
d101160aa8 | fix using wrong variable Package: univention-python Version: 12.0.1-2A~4.4.0.202009181504 Branch: ucs_4.4-0 Scope: ucs4.4-6
OK: 020_password_complexity_checks.py OK: changelog OK: ucr var description password/quality/mspolicy=no OK: no behavioral changes password/quality/mspolicy=yes OK: additional MS password checks are performed (username/displayname(parts) in password + samba.check_password_quality) ~OK-ish when changing the password over UMC the displayName is not send to the check and the username contains the domain (e.g. user1@MYDOMAIN.INTRANET) which makes the username in password check not work (see Bug #52061) password/quality/mspolicy=sufficient password.py check returns early when MS checks are green. This works over UDM but pam_cracklib still can reject passwords when changing the password over UMC(e.g. palindromes are rejected by pam_cracklib but sufficient for the ms quality) (see Bug #52057) -> verified
UCS 4.4-6 has been released: https://docs.software-univention.de/release-notes-4.4-6-en.html https://docs.software-univention.de/release-notes-4.4-6-de.html If this error occurs again, please use the "Clone This Bug" option.