[asterisk-bugs] [Asterisk 0014495]: [patch] Enforce password strengths

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Feb 19 09:27:28 CST 2009 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=14495 
====================================================================== 
Reported By:                Corydon76
Assigned To:                jsmith
====================================================================== 
Project:                    Asterisk
Issue ID:                   14495
Category:                   Channels/chan_sip/General
Reproducibility:            N/A
Severity:                   feature
Priority:                   normal
Status:                     assigned
Asterisk Version:           SVN 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-02-17 16:54 CST
Last Modified:              2009-02-19 09:27 CST
====================================================================== 
Summary:                    [patch] Enforce password strengths
Description: 
[11:23:31] <Shaun2222> jsmith: the problem is that these newbies are going
to also set weak passwords
[11:24:15] <Shaun2222> that option these days should be "yes" by default.
[11:24:35] <jsmith> Shaun2222: We can't protect people from themselves...
at some point, they should be responsible for their own choices.
[11:24:36] <Shaun2222> security is far more important than some newbie
trying to figure out what he did wrong.
[11:25:09] <jsmith> Shaun2222: That's not to say security isn't
important... I'm just saying there's only so much we can do to prevent them
from being insecure in their choices.
[11:25:39] <Corydon76-dig> You mean like ALL NUMERIC PASSWORDS?
[11:26:17] <Corydon76-dig> All numeric usernames aren't much better.
[11:26:29] <Shaun2222> jsmith: somthing like that needs to be on by
default.   if a newbie cant figure out whats wrong with there sip phone
then he can enable that option.
[11:27:04]  Corydon76-dig thinks we should have an option called
"enablenumericpasswords" and the default should be "no"
[11:27:20] <Shaun2222> so.. how can we get this option enabled by
default.. do i need to submit a bug or somthing?
[11:27:42] <Corydon76-dig> Shaun2222: honestly, it would only be changed
in unreleased branches
[11:28:02] <Corydon76-dig> Changing defaults in the middle of a release
cycle is bad, mmmkay?
[11:28:18] <Corydon76-dig> so maybe 1.6.1
[11:28:20] <Shaun2222> Corydon76-dig: might as well make the change now
for the new installs....
[11:28:39] <Shaun2222> next release would have the change, as people
upgrade, it will be enabled.
[11:28:50] <Shaun2222> if they are already authing ok, it shouldnt affect
them
[11:29:09] <jsmith> Shaun2222: When people upgrade, they often don't start
from a new config file... they typically just copy over their old config
[11:29:34] <Shaun2222> jsmith: exactly why that should default to "yes" so
the option is enabled automatically.
[11:29:39] <jsmith> Corydon76-dig: I do like the idea of the
enablenumericpasswords setting.
[11:30:10] <jsmith> Corydon76-dig: Or even better, make it
"enableweakpasswords" and do some more sanity checking than just "is it
numeric and less than X digits long"
[11:31:05] <Corydon76-dig> jsmith: at least one capital letter, one
lowercase letter, a number, and a symbol... and no less than 8 characters
long
[11:31:22] <jsmith> WORKSFORME
====================================================================== 

---------------------------------------------------------------------- 
 (0100371) oej (manager) - 2009-02-19 09:27
 http://bugs.digium.com/view.php?id=14495#c100371 
---------------------------------------------------------------------- 
If we have a strong policy, we should not load them from our database or
from the config file and thus we won't ever authenticate them. Doing it per
call is not a working solution, I think. It's when we build an object in
memory we can enable or disable it. 

When we get a call, it's too late.

The other issue is the realm-based auth that will need to be checked as
well.

We should propably add a manager message (optional) for this too, so that
a manager of a large system has a chance of doing something about it. And
of course, a ERROR-level log message. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-02-19 09:27 oej            Note Added: 0100371                          
======================================================================

More information about the asterisk-bugs mailing list