Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable cracklib check password #4991

Merged
merged 1 commit into from
Mar 11, 2025
Merged

Disable cracklib check password #4991

merged 1 commit into from
Mar 11, 2025
+0 −5

Conversation

fmarco76
Copy link
Member

Cracklib based password check is temporarly disabled while the selinux policy is updated to allow its usage.

@fmarco76
Disable cracklib check password
81466fe 
Cracklib based password check is temporarly disabled while the selinux
policy is updated to allow its usage.
@fmarco76 fmarco76 requested review from edewata and ladycfu March 11, 2025 10:03
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

edewata
edewata reviewed Mar 11, 2025
View reviewed changes
Copy link
Contributor

@edewata edewata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll defer to @ladycfu but to my understanding we're only removing it from the default profiles and the code still supports the cracklibCheck param, so we probably should keep the docs since it's an optional param.

I just noticed this, should it be checking CONFIG_PASSWORD_CRACKLIB_CHECK instead?
https://github.com/dogtagpki/pki/blob/master/base/ca/src/main/java/com/netscape/cms/profile/constraint/P12ExportPasswordConstraint.java#L165-L167

And it probably needs to be added here too:
https://github.com/dogtagpki/pki/blob/master/base/ca/src/main/java/com/netscape/cms/profile/constraint/P12ExportPasswordConstraint.java#L79-L85

@fmarco76
Copy link
Member Author

And it probably needs to be added here too:
https://github.com/dogtagpki/pki/blob/master/base/ca/src/main/java/com/netscape/cms/profile/constraint/P12ExportPasswordConstraint.java#L79-L85

This check if numerical options are parsed correctly. Boolean parse all the string and match to true or false without generating error so there is no need to add in this method.

@fmarco76
Copy link
Member Author

so we probably should keep the docs since it's an optional param.

Doc is not working if selinux is enabled.

@edewata
Copy link
Contributor

edewata commented Mar 11, 2025

Do we want to allow people to use cracklib with selinux disabled?

ladycfu
ladycfu approved these changes Mar 11, 2025
View reviewed changes
Copy link
Contributor

@ladycfu ladycfu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fmarco76
Copy link
Member Author

Do we want to allow people to use cracklib with selinux disabled?
They can start testing with the available options and this will come later.

@fmarco76
Copy link
Member Author

@edewata @ladycfu Thanks!

@fmarco76 fmarco76 merged commit 77c1886 into dogtagpki:v11.6 Mar 11, 2025
170 of 171 checks passed
@fmarco76 fmarco76 deleted the skipCracklib branch March 11, 2025 18:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edewata edewata edewata left review comments

@ladycfu ladycfu ladycfu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fmarco76 @edewata @ladycfu