Jamie,
I'd like to suggest 2 features, both of which I think require minor effort but would be useful to your userbase.
First, can you add a "button" to generate a new user password? The system will generate one during setup but I would like to be able to generate a new password on demand.
Second, we have some users who think password are mostly an inconvenience. So we quite often see passwords like, "1234", "123456", and my personal favorite for those extremely security conscious, "bob1". You get the point... Of course every time on of these accounts gets cracked we have to deal with blacklists etc to clear it up.
Can we have a "password check" feature that could, for example, at least check to make sure the password contains X CAPITAL letters, X numbers.
Ideally this is a process that could run daily (or whatever interval) and send an email to offenders letting them know they need to change their password or the account will be suspended (message should be configurable). The Cadillac version would automatically followup at a pre-determined interval (say you give them 2 days to do the update), then if not changed by the user it would automatically change the password to something more secure.
I hope that makes sense!
Thanks!
-- Craig
Comments
Submitted by andreychek on Sat, 08/31/2013 - 10:15 Comment #1
Howdy -- regarding your second question, take a peek at Webmin -> System -> Users and Groups -> Module Config -> Password Restrictions. Will that do what you're after?
Submitted by isdahlc on Sat, 08/31/2013 - 10:22 Pro Licensee Comment #2
andreycheck,
Hmm, didn't even know that existed!! Never stop learning. That is on the right track but to force X CAPs and X Numbers would I use "Perl regexp to check password against"? If so, how would that regex look, I'm not a regex person...
When is this check performed? Can it be scheduled? I would still like something that would "monitor" passwords, notify and change them if the client doesn't.
Submitted by JamieCameron on Sat, 08/31/2013 - 14:33 Comment #3
To force use of at least one capital letter and at least one number, you can use a regexp like :
.\*[A-Z].\*[0-9].\*|.\*[0-9].\*[A-Z].\*
Submitted by isdahlc on Sat, 08/31/2013 - 14:44 Pro Licensee Comment #4
OK, I'm guessing the minimum number of each case (capital letter, number) is one? Could I force 3 of each if desired?
Still wondering about the built in password restrictions already in VM:
When is this check performed? Can it be scheduled? I would still like something that would "monitor" passwords, notify and change them if the client doesn't.
Submitted by JamieCameron on Sat, 08/31/2013 - 19:10 Comment #5
Forcing 3 of each is possible, but would require a more complex regular expression. Or you could force 3 upper-case letters or numbers with a regexp like :
.\*[A-Z0-9].\*[A-Z0-9].\*[A-Z0-9].\*
The check is only done when the password is set or changed - there is no way to check existing passwords on schedule, due to the 1-way hash method used to store them on Unix systems.
Submitted by isdahlc on Sun, 09/01/2013 - 09:02 Pro Licensee Comment #6
The check is only done when the password is set or changed - there is no way to check existing passwords on schedule, due to the 1-way hash method used to store them on Unix systems.
The command
virtualmin list-users --domain domain.tld --multiline | grep "Unix username\\|Password"
will show a list of users and their passwords in plain text, couldn't we check against that?
Submitted by andreychek on Sun, 09/01/2013 - 19:53 Comment #7
Unfortunately, it doesn't sound like a feature to schedule password testing will work it's way into Webmin or Virtualmin anytime soon.
However, there are existing tools for doing such a thing, you could use one of those to assist.
An example of such a tool is
cracklib-check
.Some examples of it's usage are available here:
http://www.cyberciti.biz/security/linux-password-strength-checker/
Using it, or something like it, you could develop a script to run regularly from cron to test passwords on your system.
Submitted by isdahlc on Fri, 09/06/2013 - 15:35 Pro Licensee Comment #8
andrycheck,
I'm still testing on this but have a question about Password Restrictions "External password-checking program". I'm trying to set this to use cracklib-check so each user created is checked. I can' t seem to find the right setup to get it working.
In the field I have
echo $password | /usr/sbin/cracklib-check
There aren't any error messages, it just create a new user even though I'm using a password that should cause alarm (i.e. password = bob). What am I doing wrong?
Thanks!
-- Craig
Submitted by JamieCameron on Fri, 09/06/2013 - 16:33 Comment #9
Depending on the "Pass username and password to program" option, the password will be passed to that command as either input or command line params. The input mode is safer, so you should select that and set the command to :
tail -1 | /usr/sbin/cracklib-check
The
tail -1
is needed because Webmin supplies both the username and password.Submitted by isdahlc on Fri, 09/06/2013 - 17:24 Pro Licensee Comment #10
I set it to "input" and have the command set as you instructed but it still doesn't do anything that I can see. I can create a test account named fred with password fred and it let's me create it.
Submitted by JamieCameron on Fri, 09/06/2013 - 17:44 Comment #11
Does the cracklib-check command exit with a non-zero status if the password is weak? Or does it just print something?
Submitted by isdahlc on Fri, 09/06/2013 - 18:22 Pro Licensee Comment #12
Here's a sample from the command line:
[root@mail4 ~]# echo bob | cracklib-check
bob: it is WAY too short
Submitted by JamieCameron on Sat, 09/07/2013 - 11:20 Comment #13
What output do you get if you run :
echo bob | cracklib-check
echo $?
Submitted by isdahlc on Sat, 09/07/2013 - 13:55 Pro Licensee Comment #14
[root@mail4 ~]# echo bob | cracklib-check
bob: it is WAY too short
[root@mail4 ~]# echo $?
0
Submitted by JamieCameron on Sat, 09/07/2013 - 18:57 Comment #15
Ok, the issue is that Webmin expects the command to fail if the password is invalid - it doesn't look at the output. So you should set the command to :
tail -1 | /usr/sbin/cracklib-check | grep OK
Submitted by isdahlc on Tue, 09/10/2013 - 01:26 Pro Licensee Comment #16
It still let me create a user bob@domain.tld w/password "bob". It did not provide any warnings.
Submitted by JamieCameron on Tue, 09/10/2013 - 14:33 Comment #17
What output do you get if you run :
echo bob | /usr/sbin/cracklib-check | grep OK
echo $?
Submitted by isdahlc on Mon, 09/16/2013 - 08:21 Pro Licensee Comment #18
[root@mail4 ~]# echo bob | /usr/sbin/cracklib-check | grep OK
[root@mail4 ~]# echo $?
1
Submitted by JamieCameron on Mon, 09/16/2013 - 10:59 Comment #19
Are you changing the password in Webmin or Usermin when the cracklib check is incorrectly passed?
Submitted by isdahlc on Mon, 09/16/2013 - 11:15 Pro Licensee Comment #20
I'm setting up a new mail user through virtualmin.
Submitted by JamieCameron on Mon, 09/16/2013 - 23:39 Comment #21
Perhaps there is some other setting that is breaking this.
Could you post the
/etc/webmin/useradmin/config
file from your system?Submitted by isdahlc on Wed, 09/18/2013 - 06:36 Pro Licensee Comment #22
display_max=400
home_style=0
gshadow_file=/etc/gshadow
passwd_same=0
random_password=0
passwd_stars=0
passwd_progmode=1
passwd_file=/etc/passwd
uid_calc=0
gid_calc=0
extra_real=0
secmode=0
gid_mode=1
shadow_file=/etc/shadow
display_mode=1
new_user_gid=0
uid_mode=1
group_file=/etc/group
passwd_dict=0
base_uid=500
base_gid=500
lock_string=*
new_user_group=1
md5=1
membox=0
selinux_con=user_u:object_r:user_home_dir_t
user_files=/etc/skel
delete_only=0
homedir_perms=0750
home_base=/home
last_show=0
sort_mode=0
default_other=1
empty_mode=0
post_command=
shells=fixed,passwd,shells
email_type=0
delete_root=0
skip_md5=0
from_files=0
alias_check=0
passwd_redesc=
passwd_re=
passwd_min=
passwd_mindays=
passwd_prog=tail -1 | /usr/sbin/cracklib-check | grep OK
dict_file=
Submitted by JamieCameron on Wed, 09/18/2013 - 17:04 Comment #23
I see the issue now - because the command I gave you is run with a temp file containing the username and password redirected to it as input, you need to change the
passwd_prog
line to :passwd_prog=(tail -1 | /usr/sbin/cracklib-check | grep OK)
Submitted by isdahlc on Thu, 09/19/2013 - 13:53 Pro Licensee Comment #24
This still does not work, it let me create a user "mary" with password "1234".
Submitted by JamieCameron on Thu, 09/19/2013 - 23:47 Comment #25
I looked into this further, and found there is a Webmin bug that causes the validation command to not block a password if the command doesn't produce any output ... which is the case here.
The work-around till the next release is to change the line to :
passwd_prog=(tail -1 | /usr/sbin/cracklib-check | perl -ne 'print $_; exit(!/OK/)')
Submitted by isdahlc on Fri, 09/20/2013 - 10:29 Pro Licensee Comment #26
That worked!!!
Now, is there anything we can do about the "failure" message, it's a bit stark. Perhaps allow us to add some text to explain why it failed in a more friendly way to the customer?
Submitted by JamieCameron on Fri, 09/20/2013 - 14:45 Comment #27
What message do you get currently? It should be the output from the cracklib-check command.
Submitted by isdahlc on Fri, 09/20/2013 - 15:08 Pro Licensee Comment #28
I get the following
Failed to save mailbox : 123456: it is too simplistic/systematic
So yes, it does show the error. In reality however, they will see the word "failed to save mailbox" and stop reading, pick up the phone or open a ticket with us (we don't want support time tied up on something like this). That message can stay just the way it is, i just want to be able to include a short message explaining to them - Your password is too weak, try it again... blah blah blah.
Maybe on the Password Restrictions page you can add an area for a message when it fails that would show below the current default message. Let me know if you think that's possible.
Thanks!
-- Craig
Submitted by JamieCameron on Fri, 09/20/2013 - 18:18 Comment #29
How about if it said something like "Password validation failed : 123456: it is too simplistic/systematic"
Submitted by isdahlc on Fri, 09/20/2013 - 18:30 Pro Licensee Comment #30
Well that is better but it would be nice to communicate to them what the password requirements are (i.e. must contain 2 CAPITAL letters and 2 NUMBERS and 1 special character [~!@#$%^&*()_+] or something similar otherwise they are just shooting blind - and will still call support.
Submitted by JamieCameron on Fri, 09/20/2013 - 20:14 Comment #31
I could make the password validation message customizable by the admin? However, that may not help for passwords rejected by cracklib, as its validation rules are more complex.
Submitted by isdahlc on Fri, 09/20/2013 - 20:28 Pro Licensee Comment #32
Couldn't you just make a "on 'Password Restriction' error message" that would be appended to the system error message? (actually it should show below it, not be appended).
I really don't care WHY it's rejected but, if it is, I want to provide some direction so they can self-help to resolve it.
Submitted by isdahlc on Tue, 07/08/2014 - 20:15 Pro Licensee Comment #33
Ahh!! This does not work in Usermin!!!
When creating a new email account via virtualmin (using cracklib-check as discussed above) it works great! When changing a password from Usermin, they can enter anything they want and it succeeds (1234, dictionary words, even # of characters can be less that set minimum).
Please help - we are pushing hard to find weak password and pushing our users to update them. If there aren't proper restrictions (as we've already defined for new users) the problem will simply continue.
Thanks!
-- Craig
Submitted by JamieCameron on Tue, 07/08/2014 - 23:04 Comment #34
That's odd, as in a default Virtualmin install password changes via Usermin are subject to the same rules.
Can you post the contents of the
/etc/usermin/changepass/config
file from your system?Submitted by isdahlc on Tue, 07/08/2014 - 23:40 Pro Licensee Comment #35
cmd_mode=1
passwd_new=0
passwd_same=0
mysql=0
passwd_cmd=/usr/libexec/webmin/virtual-server/change-password.pl
passwd_dict=0
passwd_min=0
passwd_re=
mailbox=1
md5=1
Submitted by isdahlc on Wed, 07/09/2014 - 14:56 Pro Licensee Comment #36
Hi guys,
Anything more on this? I would love to get this buttoned up so when users reset their passwords they meet our password requirements.
Thanks!
-- Craig
Submitted by JamieCameron on Wed, 07/09/2014 - 18:47 Comment #37
So one hack that will work is to set
passwd_re=
in that file to the regular expression you want to use to force safe passwords.However, there is a Virtualmin bug here - it should be enforcing the same password rules. I will fix that in the next release.