Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sugesting samba filter as well. #443

Open
PGTBoos opened this issue Nov 17, 2020 · 2 comments
Open

sugesting samba filter as well. #443

PGTBoos opened this issue Nov 17, 2020 · 2 comments
Milestone

Comments

@PGTBoos
Copy link
Contributor

PGTBoos commented Nov 17, 2020

Based upon https://www.mylinuxplace.com/tag/password-compexity/ I edited the example.
Its perl filter for samba password renewal. (not for windows domains).
So it can use the same self-service-password rules, upper lower number special and forbidden chars.
Fuzzy matching not included (as I wasnt running latest vesion of ssp).
Maybe it's something to add to this site /repo.
So the rules work on both sides and can be the same, direct client password change and website password change.

#!/usr/bin/perl -w
# This Script will check password complexity
$min_length=11;
$min_upercase=1;
$min_lowercase=1;
$min_digits=1;
$min_specialchar=1;

#minimal character categories of which a password should exist  as a-z , A-Z ,0-9, special chars 
$min_charactercategories=3;

$specialchars='!,@,#,$,%,^,&,*,(,),-,_,+,=';
$forbiddenchars = '*,(,),&,|,%';

# get the password from standard input ( possible to pipe )
$str_pass=<STDIN> ;
# now lets start check and update the counters is we find something
# but first lets set all counters to zero
$ctr_length=-1;
$ctr_upercase=0;
$ctr_lowercase=0;
$ctr_digits=0;
$ctr_specialcar=0;
$ctr_forbidden=0;


$cat_lower  = 0;
$cat_upper  = 0;
$cat_number = 0;
$cat_special =0;

# conver the string to array
@array_pass = split('',$str_pass);
# convert specias carachter into array
@arrayspecialchars = split(',',$specialchars);

@arrayforbiddenchars = split(','$forbiddenchars);

foreach $pass_char (@array_pass)
{
	$ctr_length++;
	# check upercase
	if($pass_char =~ /[A-Z]/)
	{
		$ctr_upercase++;
		$cat_upper=1;
	}
	# check lowercase
	elsif($pass_char =~ /[a-z]/)
	{
		$ctr_lowercase++;
		$cat_lower=1;
	}
	# check digits
	elsif($pass_char =~ /[0-9]/)
	{
		$ctr_digits++;
		$cat_number=1;
	}
	else
	{
	# check special characters
	foreach $schar (@arrayspecialchars)
	{
		if($pass_char =~ /Q$schar/)
		{
			$ctr_specialcar++;
			$cat_special=1;
		}
	}
	foreach $schar (@arrayforbiddenchars)
	{
		if($pass_char =~ /Q$schar/)
		{
			$ctr_forbidden++;
		}
	}
	}
}
# check if we reached minimal length




if($ctr_length<$min_length)
{
	print "too short , minimum $min_length and got $ctr_length n";
	exit 1 ;
}
# check if we reached minimal UPER case
if($ctr_upercase<$min_upercase)
{
	print "not enough upercase , minimum $min_upercase and got $ctr_upercase n";
	exit 2;
}
# check if we reached minimal lower case
if($ctr_lowercase<$min_lowercase)
{
	print "not enough lowercase , minimum $min_lowercase and got $ctr_lowercase n";
	exit 3;
}
# check if we reached minimal digits
if($ctr_digits<$min_digits)
{
	print "not enough digits , minimum $min_digits and got $ctr_digits n";
	exit 3;
}
# check if we reached minimal special characters
if($ctr_specialcar<$min_specialchar)
{
	print "not enough special characters , minimum $min_specialchar and got $ctr_specialcar n";
	exit 4;
}


# Added by peterboos to have the same password pollicy on on Samba as on the SSP websites.
# SSP has some protection against symbols that could be used in php injection attacks.
# which might not be the best.. (all scripts on any  site should be safe against that).
if($ctr_forbidden>0)
{
	print "its not allowed to use these letters $forbiddenchars in the password";
	exit 5 ;
}

# Added by Peter Boos to be the same as SSP site.
if ( ($cat_lower+$cat_upper+$cat_number+$cat_special)<$min_charactercategories)
{
	print "Password is not  complex enough, there are lower / upper case number and special characters available to you";
	exit 6;
}

# if you got up to here , meaning you passed it all with success
# we can now return a non error exit
exit 0;
@coudot coudot added this to the 1.4 milestone Nov 17, 2020
@coudot
Copy link
Member

coudot commented Nov 17, 2020

Thanks, I'll see how to include it

@coudot
Copy link
Member

coudot commented Mar 29, 2021

I wonder if the best solution would not be to call the new web service /rest/v1/checkpassword.php

@coudot coudot modified the milestones: 1.4, 2.0 Mar 29, 2021
@coudot coudot modified the milestones: 2.0, 1.6.0 May 12, 2023
@coudot coudot removed this from the 1.6.0 milestone Aug 18, 2023
@coudot coudot added this to the Backlog milestone Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants