<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thanks for this topic, also, I think it is similar situation when
talking about keystone users, not only the instances's password.<br>
<br>
<div class="moz-cite-prefix">在 2015/6/3 17:48, 郑振宇 写道:<br>
</div>
<blockquote cite="mid:COL130-W55D37A8B6FF3D5C78992CE99B40@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:微软雅黑
}
--></style>
<div dir="ltr">Hi All,
<div><br>
</div>
<div>The current OpenStack does not provide user password
complexity verification option.</div>
<div>
<p id="yui_3_10_3_1_1433323751045_1481" style="margin-bottom:
1.2em; width: auto; max-width: 45em; color: rgb(51, 51, 51);
font-family: monospace; font-size: 12px; line-height: 18px;
background-color: rgb(255, 255, 255);"><br>
</p>
</div>
<div>
<div>When performing actions such as create instances,
evacuate instances, rebuild instances, rescue instances and
update instances' admin password. The complexity of user
provided admin password has not been verified. This can
cause security problems. </div>
<div><br>
</div>
<div>One solution will be adding a configuration option:
using_complex_admin_password = True, if this option is set
in configure file by administrator, then Nova will perform
password complexity checks, the check standards can be set
to following the IT industry general standard, if the
provided admin password is not complex enough, an exception
will be throw. If this option is not set in configure file,
then the complexity check will be skipped.</div>
</div>
<div><br>
</div>
<div>When the user dose not provide admin password,
generate_password() in utils.py is used to generate an admin
password. Generate_password() now uses two password symbol
groups: default and easier, the default symbol group contains
numbers, upper case letters and small case letters. the easier
symbol group contains only numbers and upper case letters. The
generated password is not complex enough and can also cause
security problems.</div>
<div><br>
</div>
<div>One possible solution is to add a new symbol group:
STRONGER_PASSWORD_SYMBOLS which contains numbers, upper case
letters, lower case letters and also special characters such
as `~!@#$%^&*()-_=+ and space. Then adding a new option in
configuration file: generate_strong_password = True, when this
option is set, nova will generate password using
STRONGER_PASSWORD_SYMBOLS symbol group and with longer
password length. If this option is not set, the password will
be generated using the default symbol group and default
length.</div>
<div><br>
</div>
<div>AWS allows the selection of password policy to configure
which kind of password complexity is used in the cloud. Please
see:</div>
<div><a moz-do-not-send="true"
href="http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html"
target="_blank">http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html</a></div>
<div><br>
</div>
<div>And about the standard of complexity, Microsoft also have
an advise about it, please see:</div>
<div><a moz-do-not-send="true"
href="https://technet.microsoft.com/en-us/library/hh994562%28v=ws.10%29.aspx"
target="_blank">https://technet.microsoft.com/en-us/library/hh994562%28v=ws.10%29.aspx</a></div>
<div><br>
</div>
<div>Thanks,</div>
<div>BR,</div>
<div>Zhenyu Zheng</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>