[asterisk-bugs] [Asterisk 0014495]: [patch] Enforce password strengths

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Feb 19 08:47:51 CST 2009 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=14495 
====================================================================== 
Reported By:                Corydon76
Assigned To:                jsmith
====================================================================== 
Project:                    Asterisk
Issue ID:                   14495
Category:                   Channels/chan_sip/General
Reproducibility:            N/A
Severity:                   feature
Priority:                   normal
Status:                     assigned
Asterisk Version:           SVN 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-02-17 16:54 CST
Last Modified:              2009-02-19 08:47 CST
====================================================================== 
Summary:                    [patch] Enforce password strengths
Description: 
[11:23:31] <Shaun2222> jsmith: the problem is that these newbies are going
to also set weak passwords
[11:24:15] <Shaun2222> that option these days should be "yes" by default.
[11:24:35] <jsmith> Shaun2222: We can't protect people from themselves...
at some point, they should be responsible for their own choices.
[11:24:36] <Shaun2222> security is far more important than some newbie
trying to figure out what he did wrong.
[11:25:09] <jsmith> Shaun2222: That's not to say security isn't
important... I'm just saying there's only so much we can do to prevent them
from being insecure in their choices.
[11:25:39] <Corydon76-dig> You mean like ALL NUMERIC PASSWORDS?
[11:26:17] <Corydon76-dig> All numeric usernames aren't much better.
[11:26:29] <Shaun2222> jsmith: somthing like that needs to be on by
default.   if a newbie cant figure out whats wrong with there sip phone
then he can enable that option.
[11:27:04]  Corydon76-dig thinks we should have an option called
"enablenumericpasswords" and the default should be "no"
[11:27:20] <Shaun2222> so.. how can we get this option enabled by
default.. do i need to submit a bug or somthing?
[11:27:42] <Corydon76-dig> Shaun2222: honestly, it would only be changed
in unreleased branches
[11:28:02] <Corydon76-dig> Changing defaults in the middle of a release
cycle is bad, mmmkay?
[11:28:18] <Corydon76-dig> so maybe 1.6.1
[11:28:20] <Shaun2222> Corydon76-dig: might as well make the change now
for the new installs....
[11:28:39] <Shaun2222> next release would have the change, as people
upgrade, it will be enabled.
[11:28:50] <Shaun2222> if they are already authing ok, it shouldnt affect
them
[11:29:09] <jsmith> Shaun2222: When people upgrade, they often don't start
from a new config file... they typically just copy over their old config
[11:29:34] <Shaun2222> jsmith: exactly why that should default to "yes" so
the option is enabled automatically.
[11:29:39] <jsmith> Corydon76-dig: I do like the idea of the
enablenumericpasswords setting.
[11:30:10] <jsmith> Corydon76-dig: Or even better, make it
"enableweakpasswords" and do some more sanity checking than just "is it
numeric and less than X digits long"
[11:31:05] <Corydon76-dig> jsmith: at least one capital letter, one
lowercase letter, a number, and a symbol... and no less than 8 characters
long
[11:31:22] <jsmith> WORKSFORME
====================================================================== 

---------------------------------------------------------------------- 
 (0100361) aragon (reporter) - 2009-02-19 08:47
 http://bugs.digium.com/view.php?id=14495#c100361 
---------------------------------------------------------------------- 
Just my two cents here but I don't think you can enforce
minimumsecretstrength=yes by default if there is some chance that the
phones wont play nice with the password requirements. Also you need to make
allowances for the password policy so that those nasty phones can still
connect to Asterisk.
I could predict that an upgrade or an attempt to enable password policy
will take a lot of phones out of service. Everything needs to be optional
to avoid the pending screams. And of course all the phones will probably
need a reboot once the password policy is enforced and this needs to be
scheduled during a maintenance window. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-02-19 08:47 aragon         Note Added: 0100361                          
======================================================================

More information about the asterisk-bugs mailing list