[openstack-dev] [nova][security] Enable user password complexity verification

liusheng liusheng1175 at 126.com
Wed Jun 3 09:57:52 UTC 2015

Thanks for this topic, also, I think it is similar situation when 
talking about keystone users, not only the instances's password.

在 2015/6/3 17:48, 郑振宇 写道:
> Hi All,
> The current OpenStack does not provide user password complexity 
> verification option.
> When performing actions such as create instances, evacuate instances, 
> rebuild instances, rescue instances and update instances' admin 
> password. The complexity of user provided admin password has not been 
> verified. This can cause security problems.
> One solution will be adding a configuration option: 
> using_complex_admin_password = True, if this option is set in 
> configure file by administrator, then Nova will perform password 
> complexity checks, the check standards can be set to following the IT 
> industry general standard, if the provided admin password is not 
> complex enough, an exception will be throw. If this option is not set 
> in configure file, then the complexity check will be skipped.
> When the user dose not provide admin password, generate_password() in 
> utils.py is used to generate an admin password. Generate_password() 
> now uses two password symbol groups: default and easier, the default 
> symbol group contains numbers, upper case letters and small case 
> letters. the easier symbol group contains only numbers and upper case 
> letters. The generated password is not complex enough and can also 
> cause security problems.
> One possible solution is to add a new symbol group: 
> STRONGER_PASSWORD_SYMBOLS which contains numbers, upper case letters, 
> lower case letters and also special characters such as 
> `~!@#$%^&*()-_=+ and space. Then adding a new option in configuration 
> file: generate_strong_password = True, when this option is set, nova 
> will generate password using STRONGER_PASSWORD_SYMBOLS symbol group 
> and with longer password length. If this option is not set, the 
> password will be generated using the default symbol group and default 
> length.
> AWS allows the selection of password policy to configure which kind of 
> password complexity is used in the cloud. Please see:
> http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
> And about the standard of complexity, Microsoft also have an advise 
> about it, please see:
> https://technet.microsoft.com/en-us/library/hh994562%28v=ws.10%29.aspx
> Thanks,
> BR,
> Zhenyu Zheng
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150603/0227c816/attachment.html>

More information about the OpenStack-dev mailing list