cefa3d2582
This review will be enforcing new password rules to Keystone accounts,
the new rules are:
- Minimum 12 characters
- At least 1 Uppercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse past 5 passwords
Test Plan:
PASS: Run fresh install of AIO-SX with complete bootstrap and unlock
of the controller-0.
PASS: Run build-pkgs -c -p keystone.
PASS: Run build-image.
Note: The password command that I used for the next test cases is:
openstack user password set
PASS: Change password 5 times and then try to use the first password of
the sequence again to verify if it is using password history.
PASS: Try to change the password to a password without an uppercase
letter and verify if it fail.
PASS: Try to change the password to a password without a number
and verify if it fail.
PASS: Try to change the password to a password without a special
character and verify if it fail.
PASS: Try password with less than 12 character and verify if it fails.
PASS: Access account and change password using serial console.
PASS: Try a password that doesn't fit the password requirements and
verify if the error message is shown.
Story: 2011084
Task: 49824
Change-Id: Iba10465e4ea25fb6e35aa0e7b81391269cda739e
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
54 lines
2.6 KiB
Diff
54 lines
2.6 KiB
Diff
From 9ab6fb0efd1c9a35d5d6e44226cce6fd7f5189a7 Mon Sep 17 00:00:00 2001
|
|
From: Karla Felix <karla.karolinenogueirafelix@windriver.com>
|
|
Date: Thu, 4 Apr 2024 13:17:13 -0300
|
|
Subject: [PATCH] Enforce new password rules to keystone accounts
|
|
|
|
This review will be enforcing new password rules to Keystone accounts,
|
|
the new rules are:
|
|
- Minimum 12 characters
|
|
- At least 1 Uppercase letter
|
|
- At least 1 number
|
|
- At least 1 special character
|
|
- Cannot reuse past 5 passwords
|
|
|
|
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
|
|
---
|
|
debian/stx/password-rules.conf | 11 +++++++----
|
|
1 file changed, 7 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/debian/stx/password-rules.conf b/debian/stx/password-rules.conf
|
|
index ac18ef9..2e1a7ff 100644
|
|
--- a/debian/stx/password-rules.conf
|
|
+++ b/debian/stx/password-rules.conf
|
|
@@ -18,20 +18,23 @@
|
|
# feature, values must be greater than 1. This feature depends on the `sql`
|
|
# backend for the `[identity] driver`. (integer value)
|
|
# Minimum value: 1
|
|
-unique_last_password_count = 3
|
|
+unique_last_password_count = 5
|
|
|
|
# The regular expression used to validate password strength requirements. By
|
|
# default, the regular expression will match any password. The following is an
|
|
# example of a pattern which requires at least 1 letter, 1 digit, and have a
|
|
-# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
|
|
+# minimum length of 12 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{12,}$ This feature
|
|
# depends on the `sql` backend for the `[identity] driver`. (string value)
|
|
-password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$
|
|
+password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{12,}$
|
|
|
|
# Describe your password regular expression here in language for humans. If a
|
|
# password fails to match the regular expression, the contents of this
|
|
# configuration variable will be returned to users to explain why their
|
|
# requested password was insufficient. (string value)
|
|
-password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character
|
|
+password_regex_description = Password must have a minimum length of 12 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character
|
|
+
|
|
+# Specifies the number of days after which passwords expire and must be changed.
|
|
+password_expires_days = 90
|
|
|
|
# The number of seconds a user account will be locked when the maximum number
|
|
# of failed authentication attempts (as specified by `[security_compliance]
|
|
--
|
|
2.34.1
|
|
|