Vote #65049
未完了Password policy and secure logon procedure
0%
説明
Hi,
It would be nice if higher authentication security could be integrated in Redmine. I'd like to submit the following recommandations :
Password policy
use of both upper- and lower-case letters (case sensitivity);¶
inclusion of one or more numerical digits;¶
inclusion of special characters configuration choice;¶
free of consecutive identical (configurable), all-numeric or all-alphabetic characters;¶
change passwords at regular intervals (configurable) or based on the number of accesses (configurable); passwords for privileged accounts should be changed more frequently than normal passwords (configurable);¶
avoid re-using or cycling old passwords (configurable);¶
when users are required to maintain their own passwords, they should be provided initially with a secure temporary password;¶
change temporary passwords at the first log-on;¶
temporary passwords should be given to users in a secure manner; the use of third parties or unprotected (clear text) electronic mail messages should be avoided;¶
temporary passwords should be unique to an individual and should not be guessable;¶
Secure logon procedure
don't display system or application identifiers until the log-on process has been successfully completed (configurable);¶
display a general notice warning that the computer should only be accessed by authorized users (Configurable as a choice and for the message to display);¶
don't provide help messages during the log-on procedure that would aid an unauthorized user;¶
validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect;¶
limit the number of unsuccessful log-on attempts allowed, e.g. to three attempts (configurable with 0 = unlimited);¶
record unsuccessful and successful attempts;¶
force a time delay before further log-on attempts are allowed (configurable and exponential);¶
send an alarm message if the maximum number of log-on attempts is reached (configurable with email addresses);¶
display the following information on completion of a successful log-on:¶
date and time of the previous successful log-on;¶
details of any unsuccessful log-on attempts since the last successful log-on;¶
don't display the password being entered or consider hiding the password characters by symbols;¶
don't transmit passwords in clear text over a network.¶
If I'm not mistaken, the following are already integrated in Redmine from the items I listed above :
- Password policy items 1,2,3,7,8,9 and 10
- Secure logon procedure items 3,4,10 and 11
Thank you for considering these features!
journals
The following items from the password policy should read:
2. inclusion (configurable to force or not) of one or more numerical digits (configurable);
3. inclusion of special characters configuration choice (configurable to force or not);
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Hi,
It doesn't look like this feature has been implemented yet, it would be very useful for us as well to have what Vidal was asking for. Can someone work on this?
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Hi,
I added cracklib support to Redmine. This doesn't address all your concerns with password policy, but at least some of them.
I figure you might find it helpful.
--------------------------------------------------------------------------------
Hi Robert,
I've added your changes to my test redmine and I received an error when I restarted my apache
<pre>
no such file to load -- password (MissingSourceFile)
Exception class:
</pre>
My version of redmine is 1.2.3.
What exactly does your code do? Does it check the length of the password?
--------------------------------------------------------------------------------
I've created a plugin that implements Password Expiry and Lock Unused Account functionality.
_It is alpha quality, so use at your own risk. Further, this is my first plugin, so even alpha is more advanced that it may be :-)_
Would be great to receive pull request on GitHub.
https://github.com/go2null/redmine_account_policy
The intent is to add more functionality to implement User Account rules.
Here's a summary of the current (v2.6.0) status of the asks in the Description.
*Password policy*
# use of both upper- and lower-case letters (case sensitivity);
## Plan to include in plugin
# inclusion of one or more numerical digits;
## Plan to include in plugin
# inclusion of special characters configuration choice;
## Plan to include in plugin
# free of consecutive identical (configurable), all-numeric or all-alphabetic characters;
## Plan to include in plugin
# change passwords at regular intervals (configurable) or based on the number of accesses (configurable); passwords for privileged accounts should be changed more frequently than normal passwords (configurable);
## _change passwords at regular intervals (configurable)_ is implemented in plugin as *Password Expiry*.
# avoid re-using or cycling old passwords (configurable);
## Redmine includes check against last password (i.e., prevent_reuse = 1)
## Plan to include in plugin
# when users are required to maintain their own passwords, they should be provided initially with a secure temporary password;
## Redmine implements this as *Generate password*
# change temporary passwords at the first log-on;
## Redmine implements this as *Must change password at next logon*
# temporary passwords should be given to users in a secure manner; the use of third parties or unprotected (clear text) electronic mail messages should be avoided;
# temporary passwords should be unique to an individual and should not be guessable;
## Redmine implements this as *Generate password*
*Secure logon procedure*
# don't display system or application identifiers until the log-on process has been successfully completed (configurable);
## Already implemented in Redmine
# display a general notice warning that the computer should only be accessed by authorized users (Configurable as a choice and for the message to display);
# don't provide help messages during the log-on procedure that would aid an unauthorized user;
## Already implemented in Redmine
# validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect;
## Already implemented in Redmine
# limit the number of unsuccessful log-on attempts allowed, e.g. to three attempts (configurable with 0 = unlimited);
## Plan to include in plugin
# record unsuccessful and successful attempts;
# force a time delay before further log-on attempts are allowed (configurable and exponential);
## Plan to include in plugin
# send an alarm message if the maximum number of log-on attempts is reached (configurable with email addresses);
# display the following information on completion of a successful log-on:
## date and time of the previous successful log-on;
## details of any unsuccessful log-on attempts since the last successful log-on;
# don't display the password being entered or consider hiding the password characters by symbols;
## Already implemented in Redmine
# don't transmit passwords in clear text over a network.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
related_issues
relates,New,3096,Lock accounts after X failed attempts
relates,Closed,19458,Add the ability to expire passwords after a configurable number of days
relates,Closed,4221,Force passwords to contain specified character classes
duplicates,Closed,12182,improvement password security for internal authentication