Closed cnotv closed 1 year ago
@cnotv Double check with the backend team that this is possible at run time, I have a feeling it can only be set when installing.
@richard-cox Waiting for any answer in the private channels.
Added extra infos.
@cnotv Can this be changed after install? If so, what happens when you set the min length to say 20 and users have passwords that are shorter than 20 characters?
@nwmac seems like it's possible to change it after the install, based to what has been told me, not tested though.
Not sure how is the functionality for existing users, but I imagine that would be a parameter for a new request.
@cnotv Do you want to go ahead and add support for configuring this setting - code is in shell/list/management.cattle.io.setting.vue
- I think you just need to add the setting to ALLOWED_SETTINGS
and make sure there is a localised string for the setting.
Resource value as default:
{
"id": "password-min-length",
"type": "management.cattle.io.setting",
"links": {
"remove": "blocked",
"self": "/v1/management.cattle.io.settings/password-min-length",
"update": "/v1/management.cattle.io.settings/password-min-length",
"view": "/apis/management.cattle.io/v3/settings/password-min-length"
},
"apiVersion": "management.cattle.io/v3",
"customized": false,
"default": "12",
"kind": "Setting",
"metadata": {
"creationTimestamp": "2022-08-04T12:10:19Z",
"fields": [
"password-min-length",
""
],
"generation": 1,
"managedFields": [
{
"apiVersion": "management.cattle.io/v3",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:customized": {},
"f:default": {},
"f:source": {},
"f:value": {}
},
"manager": "rancher",
"operation": "Update",
"time": "2022-08-04T12:10:19Z"
}
],
"name": "password-min-length",
"relationships": null,
"resourceVersion": "511",
"state": {
"error": false,
"message": "Resource is current",
"name": "active",
"transitioning": false
},
"uid": "7f570f7d-4102-4d84-a0e7-6cf24fc44c1d"
},
"source": "",
"value": "12"
},
@nwmac If a password is e.g. length 3 and we increase/restore the value to 12, no message error is provided.
Re-opening due to the following concerns:
password-min-length
to be set to ZERO or to negative values; password-min-length
set. Suggestion:
password-min-length
from being set to anything >1Failed:
Set pass-min-length to 0; then change password to blank field
- ❌ Set pass-min-length to negative value
- ✅ - ❗ PASS NOT EXPECTED ❗ Ticket #6633 - Test Results
With Docker on a single-node instance:
Reproduced on rancher v2.6.8
:
v2.6.8
Users & Authentication
Password must be at least 12 characters
Screenshot:
Step 4
Verified on rancher v2.6-400e559407d14ad925caf2f56f5edd8645dbdaba-head
:
Scenario 1 - Set pass-min-length to 0; then change password to blank field
- ❌
v2.6-head
Global Settings > password-min-length
0
Users & Authentication
, and set password to blank fieldGlobal Settings
allow password-min-length
to be set to 0
Scenario 2 - Set pass-min-length to 0; then change password to 1 character
- ✅
v2.6-head
Global Settings > password-min-length
0
Users & Authentication
, and set password to a single characterScenario 3 - Set pass-min-length to 4; then try to change password to 3 characters; expected fail
- ✅
v2.6-head
Global Settings > password-min-length
4
Users & Authentication
, and set password to three charactersScreenshot:
Step 6
Scenario 4 - Set pass-min-length to 1,000,000; set password to 1,000,000 characters
- ✅
v2.6-head
Global Settings > password-min-length
1,000,000
Users & Authentication
, and set password to ONE MILLION charactersScenario 5 - Set pass-min-length to negative value
- ✅ - ❗ PASS NOT EXPECTED ❗
v2.6-head
Global Settings > password-min-length
-2
- [type input manually]pass-min-length
to -2
Screenshot:
Step 4
We will have to introduce something like validation to the settings, not sure if it exists yet. Moving back the estimation to 2.
Created related issue out of this topic, as extension to this adjustment.
@Josh-Diamond for consistency, is this option validated while installing Rancher as well is we pass something like CATTLE_BOOTSTRAP_PASSWORD=-2
?
@cnotv Yes, you may set the password minimum length to a negative value upon initial installation:
docker run -d -p 80:80 -p 443:443 --privileged -e CATTLE_PASSWORD_MIN_LENGTH=-2 rancher/rancher:v2.6-head
When doing so, from the UI, you'll notice a banner, Set by Environment Variable
:
@cnotv Is there a max value for min_password_length that should be enforced?
With my validation tests, I was able to set min_password_length
to 1,000,000
.
Although, not an issue, i'm curious if this is ideal/desired.
I can't wrap my head around why someone would use triple digits even for min_password_length
I think we should set a range but I have no parameters to define a maximum. I guess 32 characters may be enough?
@cnotv it looks like OWASP has some recommendations on password length. This might be a good place to start for considering any limits we might want to set.
Maximum password length should not be set too low, as it will prevent users from creating passphrases. A common maximum length is 64 characters due to limitations in certain hashing algorithms, as discussed in the Password Storage Cheat Sheet. It is important to set a maximum password length to prevent long password Denial of Service attacks.
Further reaching out to the team for insights.
From a security perspective, i'm leaning towards no max limit being imposed.
From a performance perspective, I'm leaning towards imposing a max limit.
e.g 1GB of data seems like it could consume too much memory
IMO 256 max characters is a fair, secure and practical, but would not like to make this call
Seems to be a case of: How to best save the customer from themselves, if at all
If we are talking about DDOS attacks at this point the issue should be entirely server side, as from the client this is irrelevant. It is still convenient to have a validation though.
Offline conversation with @macedogm has suggested:
Yes, it's a good practice to limit the max password length....limiting in 256 is okay
@cnotv Do you have any concerns w/ a 256 character limit? If not, could we try to get that implemented?
It sounds good to me, thanks for taking care of it.
It sounds good to me, thanks for taking care of it.
@cnotv Sure thing, i will create an issue/enhancement in rancher/rancher to set a max limit of 256 characters for min-password-length
@cnotv Could you confirm no further changes are needed from UI end to accommodate the following enhancements:
With Docker on a single-node instance:
Verified on rancher v2.7-c0f6cdb9a7494cb6eae2e3b341174bd079f13073-head
:
v2.7-head
Global Settings > password-min-length
2.5
; global settings accept change but it is not respected; validation during new user creation prompts 12 character min requirement;Comments: Although, global settings allow the use of decimals within the range of 2-256, this isn't accepted as being valid when creating a new user. We should prevent this usecase from occurring, with further validation, if possible.
Screenshots:
Global Settings > password-min-length
Create New User w/ 2 character password
Create New User w/ 3 character password
@Josh-Diamond ~looks like Integer validation using decimals is allowed in every input field we have. What would you recommend in this case? I would rather tackle this all at once instead of this very aimed case.~ EDIT: We allow decimals exclusively for this form, which is handled in a single input. We can set a default validation for this case, which does not allow decimals.
In the current state seems like something has been changed, as I am not able to edit the value anymore.
set a default validation for this case, which does not allow decimals
- this sounds great!
In the current state seems like something has been changed, as I am not able to edit the value anymore
- 😮
It seems to be solved the issue with the editing capabilities 🤷
It seems like this option is now flagged as Set by Environment Variable
and does not allow us to edit it, unless we enable it. This change seems coming from the server while in the process of QA. I am allowing now to change them in order to make it possible.
Ticket #6633 - Test Results [Cont.] - RE-OPENED (again) - ❌
With Docker on a single-node instance:
Verifying on Rancher v2.7-9278cf152f9b98ae3c543c0f956af2ae6ab91368-head
:
v2.7-head
Global Settings > password-min-length
, and Edit Setting
11.0
is accepted as a valid configuration via Global Settings > password-min-length > Edit Setting
, but it isn't respected when creating a new user. Validation defaults back to pass-min-length of 12
.Screenshots:
Passed
Passed
Passed
Questionable
Questionable
Failed
@Josh-Diamond , as we do not have a clear requirement for the purpose, if you may have any other idea in mind, please share ahead earlier so we can add it directly as case. Thanks for finding out the exceptions so far 😅
Contemplated cases so far have been also:
e
(it's natively allowed by the input field)As mentioned in the chat, the possibility to have this value for new users passwords should be validated by the server and would then require an issue for rancher/rancher
.
@Josh-Diamond waiting for some updates from the rancher/rancher
repo to find out why the setting is not honored.
@cnotv Are you waiting for some information or input from me? I'm slightly confused as to how this would be related to backend. If setting global setting > password-min-length
to 11
, this is accepted and valid, however setting this value to 11.0
through dashboard is accepted but invalid and is not truly honored.
I believe the change I'm requesting would be from dashboard side to remove or prevent the use of .
in this input field.
Am I off base here? Should this prevention be implemented server-side? Is that what you are suggesting? And to let the dashboard just display the validation error coming from the server?
The decimal with .0
has been fixed with a newer PR. Sorry for the back and forth, as we did not think about all the possible cases in a first implementation.
The value is still not honored. If you try to set requirement min password to 20, then you update a password with length 3, it will accept. Previously this worked.
I've been asking to the BE information about this but the only answer I received is that it works on CLI.
If there's no other issue UI wise, I would rather close this and create a BE issue on rancher/rancher
, what do you think?
With Docker on a single-node instance:
Verified on rancher v2.7-3c1e7dbaafe9c38629898273974b97ec6e8fd4da-head
:
v2.7-head
global settings > password-min-length
, and set to 11.0
.
; as expectede
; all failed to be accepted as valid; as expected
Detailed Description Allow to change the setting for user password length requirement from default of 12.
Context The password length can be defined exclusively with env var
CATTLE_PASSWORD_MIN_LENGTH
in setup time and not from the UI as other settings.As this is a Kube resource, it can be updated using a POST request to settings.
management.cattle.io.setting
management.cattle.io/v3
key:
password-min-length
Original merged issue: see slack
Settings:
/v3/settings/password-min-length