Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vncpasswd add pwquality complexity rule check #1762

Merged
merged 2 commits into from
Aug 15, 2024
Merged

vncpasswd add pwquality complexity rule check #1762

merged 2 commits into from
Aug 15, 2024

Conversation

prownd
Copy link
Contributor

@prownd prownd commented Jun 2, 2024

Add a password complexity strategy for VNC user authentication
enhance password quality verification checks, and enhance security

Additionally, Chinese translation has been added

@CendioOssman
Copy link
Member

Thank you for your contribution!

I'm concerned how well a pwquality will work for VNC passwords, given that they are limited to 8 characters. #370 would probably need to be implemented first. Otherwise the user might come up with a long and secure to keep pwquality happy, but overlook the fact that the actual used password is much shorter.

It should probably also just be a warning when pwquality fails, not an error, given that it is difficult to get a good password with so few characters.

@prownd
Copy link
Contributor Author

prownd commented Jun 3, 2024
edited
Loading

Yes, due to the VNC protocol, the actual length of the VNC password used is 8 characters.
The first version I modified did indeed limit the maximum length to 8 characters. However, considering that there has always been no limit on the maximum length when setting passwords, so I removed the limit of 8 characters.
According to your suggestion, when pwquality fails, there will only be an alarm prompt. Instead of terminating password settings

@prownd
Copy link
Contributor Author

prownd commented Jun 3, 2024
edited
Loading

Thank you for your contribution!

I'm concerned how well a pwquality will work for VNC passwords, given that they are limited to 8 characters. #370 would probably need to be implemented first. Otherwise the user might come up with a long and secure to keep pwquality happy, but overlook the fact that the actual used password is much shorter.

It should probably also just be a warning when pwquality fails, not an error, given that it is difficult to get a good password with so few characters.

According to your opinion, when setting a password, add an 8-character limit.
Can I modify and submit it again or not

@prownd
Copy link
Contributor Author

prownd commented Jun 7, 2024

  1. Use libpwquality to check password quality and complexity, improving security.
    The validation rules for libpwquality are as follows:
    • The minimum password length is 6 and the maximum is 8
    • Password characters repeat once
    • At least 3 types of characters are required
  2. Add i18n internationalization support and Chinese localization translation.

@prownd
Copy link
Contributor Author

prownd commented Jun 7, 2024

  1. Use libpwquality to check password quality and complexity, improving security.
    The validation rules for libpwquality are as follows:

    • The minimum password length is 6 and the maximum is 8
    • Password characters repeat once
    • At least 3 types of characters are required

  2. Add i18n internationalization support and Chinese localization translation.

@CendioOssman Could you please take a look and see if there is anything else that needs to be added.

CendioOssman
CendioOssman requested changes Jun 14, 2024
View reviewed changes
Copy link
Member

@CendioOssman CendioOssman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks really good! There are some tweaks that are needed, though. Please have a look at my comments.

po/zh_CN.po Outdated Show resolved Hide resolved
unix/vncpasswd/CMakeLists.txt Outdated Show resolved Hide resolved
unix/vncpasswd/vncpasswd.cxx Outdated Show resolved Hide resolved
unix/vncpasswd/vncpasswd.cxx Outdated Show resolved Hide resolved
unix/vncpasswd/vncpasswd.cxx Outdated Show resolved Hide resolved
unix/vncpasswd/vncpasswd.cxx Outdated
pwquality_set_int_value(pwq, PWQ_SETTING_MIN_LENGTH, 6);
pwquality_set_int_value(pwq, PWQ_SETTING_MAX_SEQUENCE, 8);
pwquality_set_int_value(pwq, PWQ_SETTING_MAX_REPEAT, 1);
pwquality_set_int_value(pwq, PWQ_SETTING_MIN_CLASS, 3);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem proper to override. Isn't this configured by the system administrator in /etc/security/pwquality.conf?

Copy link
Contributor Author

@prownd prownd Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using the rules specified in the code for the libpwquality library.
Instead of using the libpwquality.cn configuration file.
I think these two are independent, so there should be no rewriting or conflict.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The man page for pwquality.conf states:

   pwquality.conf provides a way to configure the default password quality requirements for the system
   passwords. This file is read by the libpwquality library and utilities that use this library for checking
   and generating passwords.

So I think it would be very surprising for a sysadmin if those settings aren't respected by vncpasswd.

Please remove all the overrides and we can use the settings that libpwquality has loaded from the system configuration.

unix/vncpasswd/vncpasswd.cxx Outdated
exit(1);
}
fprintf(stderr,"Password must be at least 6 characters - try again\n");
fprintf(stderr,_("Password must be at least 6 characters - try again\n"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now policy that could conflict with what pwquality wants. It should be removed if we always use pwquality, or used as a fallback if pwquality ends up being optional.

unix/vncpasswd/vncpasswd.cxx Outdated Show resolved Hide resolved
unix/vncpasswd/vncpasswd.cxx
continue;
}

if (first.size() > 8) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! But could you split this to a separate commit? It's independent of using pwquality.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps they should be submitted separately

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A separate commit, yes. But you don't need to open a separate PR for such a small fix.

unix/vncpasswd/vncpasswd.cxx Outdated Show resolved Hide resolved
@prownd prownd requested a review from CendioOssman June 24, 2024 02:52
@prownd
Copy link
Contributor Author

prownd commented Jun 24, 2024

@CendioOssman
I have made modifications according to your suggestions.
Could you please review it to see if it is correct.

@prownd prownd changed the title vncpasswd add pwquality complexity rule check and translation vncpasswd add pwquality complexity rule check Jun 24, 2024
CendioOssman
CendioOssman requested changes Jun 24, 2024
View reviewed changes
unix/vncpasswd/CMakeLists.txt Outdated
# check for pwquality password check support
option(ENABLE_PWQUALITY "Enable pwquality password check" ON)
if(ENABLE_PWQUALITY)
if(UNIX)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps this if() should be around everything, so we don't annoy Windows users with this setting?

unix/vncpasswd/CMakeLists.txt Outdated Show resolved Hide resolved
@prownd prownd requested a review from CendioOssman June 24, 2024 14:04
@prownd
Copy link
Contributor Author

prownd commented Jun 25, 2024
edited
Loading

Could you please take a moment to review again . @CendioOssman

@prownd
Copy link
Contributor Author

prownd commented Jul 11, 2024

@CendioOssman Please review again.
Is your suggestion to use the default/etc/security/pwquality.conf configuration rules?
But as mentioned earlier, the actual maximum length of a password is only 8, which may have generated a very long and complex password, but only 8 lengths were actually used.
So it is very necessary to specify some rules in the code.

Looking forward to your reply and suggestions.

@CendioOssman
Copy link
Member

Sorry for the late response. I've been away for a few weeks.

There are still some open requests that haven't been addressed. Please have a look at them and see if we can get the last bits fixed.

@CendioOssman
Copy link
Member

Is your suggestion to use the default/etc/security/pwquality.conf configuration rules?

Yes, that is correct.

But as mentioned earlier, the actual maximum length of a password is only 8, which may have generated a very long and complex password, but only 8 lengths were actually used.
So it is very necessary to specify some rules in the code.

If the system policy doesn't allow passwords that are compatible with VNC, then the system should refuse to continue. It shouldn't silently change the policy and allow things that the user thinks have been blocked.

As for only 8 characters being used, your previous suggestion had a check for that. But it seems to have been dropped?

@prownd prownd closed this Aug 7, 2024
@prownd prownd reopened this Aug 7, 2024
@prownd
Copy link
Contributor Author

prownd commented Aug 7, 2024

Is your suggestion to use the default/etc/security/pwquality.conf configuration rules?

Yes, that is correct.

Okay, then use the default pwquality.conf rule

But as mentioned earlier, the actual maximum length of a password is only 8, which may have generated a very long and complex password, but only 8 lengths were actually used.
So it is very necessary to specify some rules in the code.

If the system policy doesn't allow passwords that are compatible with VNC, then the system should refuse to continue. It shouldn't silently change the policy and allow things that the user thinks have been blocked.

As for only 8 characters being used, your previous suggestion had a check for that. But it seems to have been dropped?

Because it's independent of using pwquality
Your suggestion is to submit a separate commit

@CendioOssman
Copy link
Member

Your suggestion is to submit a separate commit

Yes, but the commit can still be part of this pull request.

@prownd
vncpasswd add password complexity rule check to enhance security
6e3b382 
Use the library pwquality to check password complexity and improve security.
Additionally, optional enable support is also set in CMake.
@prownd
Limit the maximum length of a password to 8 characters
73e6e18 
Password should not be greater than 8 characters.
Because only 8 valid characters are used.
@prownd
Copy link
Contributor Author

prownd commented Aug 13, 2024

@CendioOssman According to your suggestion, it has been modified.
Could you please review it again

CendioOssman
CendioOssman approved these changes Aug 15, 2024
View reviewed changes
Copy link
Member

@CendioOssman CendioOssman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thank you for getting this done.

@CendioOssman CendioOssman merged commit 3aca8be into TigerVNC:master Aug 15, 2024
11 checks passed
@CendioOssman CendioOssman mentioned this pull request Aug 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CendioOssman CendioOssman CendioOssman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@prownd @CendioOssman