See: http://gitweb.mageia.org/software/userdrake/tree/userdrake#n452 http://gitweb.mageia.org/software/userdrake/tree/userdrake#n892 userdrake wants to parse /etc/sysconfig/msec to validate the length of the password: if ($sec{SECURE_LEVEL} > 3 && length($u{pw}) < 6) { RaiseError(N("This password is too simple. \n Good passwords should be > 6 characters")); But this file does not exist, neither in Mageia 5 nor in Mageia 6, despite I have the msec RPM installed. I don't know if this file is obsolete or if it's generated when an admin edits some configuration panel. If it's obsolete, then the code should be either fixed to point to the new msec file, or be removed entirely. Thierry, do you know something about this missing msec file?
It looks like if ($sec{SECURE_LEVEL} > 3 && length($u{pw}) < 6) { RaiseError(N("This password is too simple. \n Good passwords should be > 6 characters")); isn't used. When adding a new user, the shield on the right of the password field turns from red to orange to green while the typed password gets stronger. It used to work like that since Mageia was born, and still does. There's _no_ message about how long the password should be, nor about the type of characters it should contain, when you try to click OK when the password shield is still red or orange. However, whatever the used algorithm is, I'm pretty sure it used to yield a green shield with passwords like o%c4TlmW That's no longer long good enough. It does accept, o%c4T&, though :-/ correcthorsebatterystaple is considered a weak password (which it is, since figuring in the xkcb comic), but elephantinagreenbucketwithtreesandbuttons is considered very weak, too, and a very long password with random words taken from different languages is also considered weak.
CC: (none) => marja11
I already regret having commented. I don't know Perl, and of course a piece of code doesn't work if it needs a missing file :-/ In spite of knowing nothing, I'm curious how userdrake and installer's setRootPassword_addUser step determine a password is good enough to get a green shield. /me hides
According to manauser i seem i had checked another file: http://gitweb.mageia.org/software/manatools/tree/lib/ManaTools/Shared/Users.pm#n1557 The change should be trivial... if keys are the same :) Anyway to check strong passsword i demanded to Data::Password::Meter also http://gitweb.mageia.org/software/manatools/tree/lib/ManaTools/Shared/Users.pm#n1541
CC: (none) => anaselli
as if ($sec{SECURE_LEVEL} > 3 && length($u{pw}) < 6) { RaiseError(N("This password is too simple. \n Good passwords should be > 6 characters")); } is used more than once, couldn't this be added in a function that check the password quality ?
CC: (none) => mageia
Assignee: bugsquad => mageiatools
Nicolas, i need to check how i implemented it in manauser... i don't remember :( IMO you should change the file name atm and see if this bug can be considered as closed after....
commit 31585b2a413e0d4e385bcc1209609f708377ad06 Author: Angelo Naselli <anaselli@...> Date: Fri Mar 10 22:18:53 2017 +0100 Use the right file to check security level and password lenght (mga#20436) --- Commit Link: http://gitweb.mageia.org/software/userdrake/commit/?id=31585b2a413e0d4e385bcc1209609f708377ad06
Sorry, Angelo... I know you've been put under pressure to contribute to DrakX yesterday (and probably earlier, too), but I do not agree with your change. Despite the missing file, the security level check worked, so the active code to do that came from somewhere else. Remember that only drakx/perl-install/install/ is for instaler only, but drakx/perl-install is for drakxtools. https://wiki.mageia.org/en/Our_drakx The security level check _might_ come from here: http://gitweb.mageia.org/software/drakx/tree/perl-install/authentication.pm#n953 sub compute_password_weakness { my ($password) = @_; my $score = 0; my $len = length($password); return 0 if $len == 0; $score = $len < 5 ? 3 : $len > 4 && $len < 8 ? 6 : $len > 7 && $len < 16 ? 12 : 18; $score += 1 if $password =~ /[a-z]/; $score += 5 if $password =~ /[A-Z]/; $score += 5 if $password =~ /\d+/; $score += 5 if $password =~ /(.*[0-9].*[0-9].*[0-9])/; $score += 5 if $password =~ /.[!@#$%^&*?_~,]/; $score += 5 if $password =~ /(.*[!@#$%^&*?_~,].*[!@#$%^&*?_~,])/; $score += 2 if $password =~ /([a-z].*[A-Z])|([A-Z].*[a-z])/; $score += 2 if $password =~ /([a-zA-Z])/ && $password =~ /([0-9])/; $score += 2 if $password =~ /([a-z].*[A-Z])|([A-Z].*[a-z])/; $score += 2 if $password =~ /([a-zA-Z0-9].*[!@#$%^&*?_~])|([!@#$%^&*?_~,].*[a-zA-Z0-9])/; my $level = $score < 11 ? 1 : $score > 10 && $score < 20 ? 2 : $score > 19 && $score < 30 ? 3 : $score > 29 && $score < 40 ? 4 : 5; return $level; } The red/orange/green shield icon changing its colour _might_ come from http://gitweb.mageia.org/software/drakx/tree/perl-install/mygtk3.pm#n1631 sub _get_weakness_icon { my ($password_weakness) = @_; my %weakness_icon = ( 1 => gtknew('Pixbuf', file => 'security-low'), 2 => gtknew('Pixbuf', file => 'security-low'), 3 => gtknew('Pixbuf', file => 'security-medium'), 4 => gtknew('Pixbuf', file => 'security-strong'), 5 => gtknew('Pixbuf', file => 'security-strong')); my $weakness_icon = $weakness_icon{$password_weakness} || return undef; $weakness_icon; }
@Marja that code is used only if security level is high and not normal, and as far as i can say it does not involve the shield for password strength, that's why i haven't ported my changes in which I used Data::Password::Meter (e.g. weakPasswordForSecurityLevel only). and to be sure of what i said, have you ever seen the the dialog saying "This password is too simple. Good passwords should be > 6 characters"?
i think that for mga6 this commit is enough. we will have to look deeper for mga7 :) thank you angelo.
Status: NEW => RESOLVEDResolution: (none) => FIXED
also because I'm not sure 6 chars has to be considered as a secure choice :D
Although, i strongly ask you to check for mga6 the levels, because i cannot remember where i found those values...
(In reply to Angelo Naselli from comment #8) > @Marja that code is used only if security level is high and not normal, Thanks for pointing that out, Angelo > and > as far as i can say it does not involve the shield for password strength, > that's why i haven't ported my changes in which I used Data::Password::Meter > (e.g. weakPasswordForSecurityLevel only). > > and to be sure of what i said, have you ever seen the the dialog saying > "This password is too simple. Good passwords should be > 6 characters"? No, I don't remember ever having seen that dialog. (In reply to Angelo Naselli from comment #10) > also because I'm not sure 6 chars has to be considered as a secure choice :D Fully agree on that, not even for a standard workstation security level.
I'm fine with the patch submitted by Angelo. userdrake was pointing to an apparently obsolete file. He replaced this reference to a file whose purpose is to give you the current security level. Nothing wrong with this change. Thanks Angelo! :)