Open Stack

On Wed, Jun 3, 2015 at 6:04 AM liusheng <liusheng1175 at 126.com> wrote:

>  Thanks for this topic, also, I think it is similar situation when talking
> about keystone users, not only the instances's password.
>
>
In the past we've talked about having more advanced password management
features in Keystone (complexity checks, rotation, etc). The end result is
that we are not adding them because we would like to get away from managing
users in Keystone that way. Instead we are pushing for users to integrate
Keystone with more fully featured identity products.


>
> 在 2015/6/3 17:48, 郑振宇 写道:
>
> Hi All,
>
>  The current OpenStack does not provide user password complexity
> verification option.
>
>
>   When performing actions such as create instances, evacuate instances,
> rebuild instances, rescue instances and update instances' admin password.
> The complexity of user provided admin password has not been verified. This
> can cause security problems.
>
>  One solution will be adding a configuration option:
> using_complex_admin_password = True, if this option is set in configure
> file by administrator, then Nova will perform password complexity checks,
> the check standards can be set to following the IT industry general
> standard, if the provided admin password is not complex enough, an
> exception will be throw. If this option is not set in configure file, then
> the complexity check will be skipped.
>
>  When the user dose not provide admin password, generate_password() in
> utils.py is used to generate an admin password. Generate_password() now
> uses two password symbol groups: default and easier, the default symbol
> group contains numbers, upper case letters and small case letters. the
> easier symbol group contains only numbers and upper case letters. The
> generated password is not complex enough and can also cause security
> problems.
>
>  One possible solution is to add a new symbol group:
> STRONGER_PASSWORD_SYMBOLS which contains numbers, upper case letters, lower
> case letters and also special characters such as `~!@#$%^&*()-_=+ and
> space. Then adding a new option in configuration file:
> generate_strong_password = True, when this option is set, nova will
> generate password using STRONGER_PASSWORD_SYMBOLS symbol group and with
> longer password length. If this option is not set, the password will be
> generated using the default symbol group and default length.
>
>  AWS allows the selection of password policy to configure which kind of
> password complexity is used in the cloud. Please see:
>
> http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
>
>  And about the standard of complexity, Microsoft also have an advise
> about it, please see:
> https://technet.microsoft.com/en-us/library/hh994562%28v=ws.10%29.aspx
>
>  Thanks,
> BR,
> Zhenyu Zheng
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>  __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150603/e585d6e3/attachment.html>