[openstack-dev] [nova][security] Enable user password complexity verification
liusheng
liusheng1175 at 126.com
Wed Jun 3 09:57:52 UTC 2015
Thanks for this topic, also, I think it is similar situation when
talking about keystone users, not only the instances's password.
在 2015/6/3 17:48, 郑振宇 写道:
> Hi All,
>
> The current OpenStack does not provide user password complexity
> verification option.
>
>
> When performing actions such as create instances, evacuate instances,
> rebuild instances, rescue instances and update instances' admin
> password. The complexity of user provided admin password has not been
> verified. This can cause security problems.
>
> One solution will be adding a configuration option:
> using_complex_admin_password = True, if this option is set in
> configure file by administrator, then Nova will perform password
> complexity checks, the check standards can be set to following the IT
> industry general standard, if the provided admin password is not
> complex enough, an exception will be throw. If this option is not set
> in configure file, then the complexity check will be skipped.
>
> When the user dose not provide admin password, generate_password() in
> utils.py is used to generate an admin password. Generate_password()
> now uses two password symbol groups: default and easier, the default
> symbol group contains numbers, upper case letters and small case
> letters. the easier symbol group contains only numbers and upper case
> letters. The generated password is not complex enough and can also
> cause security problems.
>
> One possible solution is to add a new symbol group:
> STRONGER_PASSWORD_SYMBOLS which contains numbers, upper case letters,
> lower case letters and also special characters such as
> `~!@#$%^&*()-_=+ and space. Then adding a new option in configuration
> file: generate_strong_password = True, when this option is set, nova
> will generate password using STRONGER_PASSWORD_SYMBOLS symbol group
> and with longer password length. If this option is not set, the
> password will be generated using the default symbol group and default
> length.
>
> AWS allows the selection of password policy to configure which kind of
> password complexity is used in the cloud. Please see:
> http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
>
> And about the standard of complexity, Microsoft also have an advise
> about it, please see:
> https://technet.microsoft.com/en-us/library/hh994562%28v=ws.10%29.aspx
>
> Thanks,
> BR,
> Zhenyu Zheng
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150603/0227c816/attachment.html>
More information about the OpenStack-dev
mailing list