[pve-devel] [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters on new passwords

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters on new passwords
@ 2024-10-04 13:32 Shannon Sterz
  2024-10-04 13:32 ` [pve-devel] [PATCH manager 1/3] ui: workspace/user view: change password minimum length to 8 Shannon Sterz
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Shannon Sterz @ 2024-10-04 13:32 UTC (permalink / raw)
  To: pve-devel

this series pushes the minimum of 5 characters up to at least 8 for pve.
this puts our password policy in line with NIST's latest recommendation
[1].

[1]: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

pve-manager:

Shannon Sterz (1):
  ui: workspace/user view: change password minimum length to 8

 www/manager6/Workspace.js   | 1 +
 www/manager6/dc/UserEdit.js | 2 +-
 www/manager6/dc/UserView.js | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)


proxmox-widget-toolkit:

Shannon Sterz (1):
  password edit: add a minimum length parameter

 src/window/PasswordEdit.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)


pve-access-control:

Shannon Sterz (1):
  api: enforce a minimum length of 8 on new passwords

 src/PVE/API2/AccessControl.pm | 2 +-
 src/PVE/API2/User.pm          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)


Summary over all repositories:
  6 files changed, 12 insertions(+), 4 deletions(-)

--
Generated by git-murpp 0.5.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [pve-devel] [PATCH manager 1/3] ui: workspace/user view: change password minimum length to 8
  2024-10-04 13:32 [pve-devel] [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters on new passwords Shannon Sterz
@ 2024-10-04 13:32 ` Shannon Sterz
  2024-10-04 13:32 ` [pve-devel] [PATCH widget-toolkit 2/3] password edit: add a minimum length parameter Shannon Sterz
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 6+ messages in thread
From: Shannon Sterz @ 2024-10-04 13:32 UTC (permalink / raw)
  To: pve-devel

this only impacts new passwords

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 www/manager6/Workspace.js   | 1 +
 www/manager6/dc/UserEdit.js | 2 +-
 www/manager6/dc/UserView.js | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/www/manager6/Workspace.js b/www/manager6/Workspace.js
index 52c66108c..ca451fc3e 100644
--- a/www/manager6/Workspace.js
+++ b/www/manager6/Workspace.js
@@ -383,6 +383,7 @@ Ext.define('PVE.StdWorkspace', {
 					var win = Ext.create('Proxmox.window.PasswordEdit', {
 					    userid: Proxmox.UserName,
 					    confirmCurrentPassword: Proxmox.UserName !== 'root@pam',
+					    minLength: 8,
 					});
 					win.show();
 				    },
diff --git a/www/manager6/dc/UserEdit.js b/www/manager6/dc/UserEdit.js
index ad52edf00..eee8bc2b2 100644
--- a/www/manager6/dc/UserEdit.js
+++ b/www/manager6/dc/UserEdit.js
@@ -36,7 +36,7 @@ Ext.define('PVE.dc.UserEdit', {
 	pwfield = Ext.createWidget('textfield', {
 	    inputType: 'password',
 	    fieldLabel: gettext('Password'),
-	    minLength: 5,
+	    minLength: 8,
 	    name: 'password',
 	    disabled: true,
 	    hidden: true,
diff --git a/www/manager6/dc/UserView.js b/www/manager6/dc/UserView.js
index 12c3e8546..82bd2ee7c 100644
--- a/www/manager6/dc/UserView.js
+++ b/www/manager6/dc/UserView.js
@@ -72,6 +72,7 @@ Ext.define('PVE.dc.UserView', {
 		    userid: rec.data.userid,
 		    confirmCurrentPassword: Proxmox.UserName !== 'root@pam',
 		    autoShow: true,
+		    minLength: 8,
 		    listeners: {
 			destroy: () => reload(),
 		    },
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [pve-devel] [PATCH widget-toolkit 2/3] password edit: add a minimum length parameter
  2024-10-04 13:32 [pve-devel] [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters on new passwords Shannon Sterz
  2024-10-04 13:32 ` [pve-devel] [PATCH manager 1/3] ui: workspace/user view: change password minimum length to 8 Shannon Sterz
@ 2024-10-04 13:32 ` Shannon Sterz
  2024-11-11 20:38   ` [pve-devel] applied: " Thomas Lamprecht
  2024-10-04 13:32 ` [pve-devel] [PATCH access-control 3/3] api: enforce a minimum length of 8 on new passwords Shannon Sterz
  2024-11-11 22:11 ` [pve-devel] applied:-series [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters " Thomas Lamprecht
  3 siblings, 1 reply; 6+ messages in thread
From: Shannon Sterz @ 2024-10-04 13:32 UTC (permalink / raw)
  To: pve-devel

so products can independently specify the minimum length of new
passwords

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 src/window/PasswordEdit.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/window/PasswordEdit.js b/src/window/PasswordEdit.js
index bc54b8d..e012a0d 100644
--- a/src/window/PasswordEdit.js
+++ b/src/window/PasswordEdit.js
@@ -12,6 +12,10 @@ Ext.define('Proxmox.window.PasswordEdit', {
 	labelWidth: 150,
     },
 
+    // specifies the minimum length of *new* passwords so this can be
+    // adapted by each product as limits are changed there.
+    minLength: 5,
+
     // allow products to opt-in as their API gains support for this.
     confirmCurrentPassword: false,
 
@@ -33,13 +37,15 @@ Ext.define('Proxmox.window.PasswordEdit', {
 	    xtype: 'textfield',
 	    inputType: 'password',
 	    fieldLabel: gettext('New Password'),
-	    minLength: 5,
 	    allowBlank: false,
 	    name: 'password',
 	    listeners: {
 		change: (field) => field.next().validate(),
 		blur: (field) => field.next().validate(),
 	    },
+	    cbind: {
+		minLength: '{minLength}',
+	    },
 	},
 	{
 	    xtype: 'textfield',
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [pve-devel] applied: [PATCH widget-toolkit 2/3] password edit: add a minimum length parameter
  2024-10-04 13:32 ` [pve-devel] [PATCH widget-toolkit 2/3] password edit: add a minimum length parameter Shannon Sterz
@ 2024-11-11 20:38   ` Thomas Lamprecht
  0 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2024-11-11 20:38 UTC (permalink / raw)
  To: Proxmox VE development discussion, Shannon Sterz

Am 04.10.24 um 15:32 schrieb Shannon Sterz:
> so products can independently specify the minimum length of new
> passwords
> 
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  src/window/PasswordEdit.js | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
>

applied this one, thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [pve-devel] [PATCH access-control 3/3] api: enforce a minimum length of 8 on new passwords
  2024-10-04 13:32 [pve-devel] [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters on new passwords Shannon Sterz
  2024-10-04 13:32 ` [pve-devel] [PATCH manager 1/3] ui: workspace/user view: change password minimum length to 8 Shannon Sterz
  2024-10-04 13:32 ` [pve-devel] [PATCH widget-toolkit 2/3] password edit: add a minimum length parameter Shannon Sterz
@ 2024-10-04 13:32 ` Shannon Sterz
  2024-11-11 22:11 ` [pve-devel] applied:-series [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters " Thomas Lamprecht
  3 siblings, 0 replies; 6+ messages in thread
From: Shannon Sterz @ 2024-10-04 13:32 UTC (permalink / raw)
  To: pve-devel

when creating new users or updating existing passwords this new
minimum is enforced which aligns with NIST's latest recommendations
[1].

[1]: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 src/PVE/API2/AccessControl.pm | 2 +-
 src/PVE/API2/User.pm          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index c55a7b3..1e6e011 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -341,7 +341,7 @@ __PACKAGE__->register_method ({
 	    password => {
 		description => "The new password.",
 		type => 'string',
-		minLength => 5,
+		minLength => 8,
 		maxLength => 64,
 	    },
 	    'confirmation-password' => $PVE::API2::TFA::OPTIONAL_PASSWORD_SCHEMA,
diff --git a/src/PVE/API2/User.pm b/src/PVE/API2/User.pm
index 489d34f..535e58e 100644
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@@ -272,7 +272,7 @@ __PACKAGE__->register_method ({
 		description => "Initial password.",
 		type => 'string',
 		optional => 1,
-		minLength => 5,
+		minLength => 8,
 		maxLength => 64
 	    },
 	    groups => get_standard_option('group-list'),
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [pve-devel] applied:-series [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters on new passwords
  2024-10-04 13:32 [pve-devel] [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters on new passwords Shannon Sterz
                   ` (2 preceding siblings ...)
  2024-10-04 13:32 ` [pve-devel] [PATCH access-control 3/3] api: enforce a minimum length of 8 on new passwords Shannon Sterz
@ 2024-11-11 22:11 ` Thomas Lamprecht
  3 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2024-11-11 22:11 UTC (permalink / raw)
  To: Proxmox VE development discussion, Shannon Sterz

Am 04.10.24 um 15:32 schrieb Shannon Sterz:
> this series pushes the minimum of 5 characters up to at least 8 for pve.
> this puts our password policy in line with NIST's latest recommendation
> [1].
> 
> [1]: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver
> 
> pve-manager:
> 
> Shannon Sterz (1):
>   ui: workspace/user view: change password minimum length to 8
> 
>  www/manager6/Workspace.js   | 1 +
>  www/manager6/dc/UserEdit.js | 2 +-
>  www/manager6/dc/UserView.js | 1 +
>  3 files changed, 3 insertions(+), 1 deletion(-)
> 
> 
> proxmox-widget-toolkit:
> 
> Shannon Sterz (1):
>   password edit: add a minimum length parameter
> 
>  src/window/PasswordEdit.js | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> 
> pve-access-control:
> 
> Shannon Sterz (1):
>   api: enforce a minimum length of 8 on new passwords
> 
>  src/PVE/API2/AccessControl.pm | 2 +-
>  src/PVE/API2/User.pm          | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> 
> Summary over all repositories:
>   6 files changed, 12 insertions(+), 4 deletions(-)
> 
> --
> Generated by git-murpp 0.5.0
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 


applied the remaining two patches now too, thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2024-11-11 22:11 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-10-04 13:32 [pve-devel] [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters on new passwords Shannon Sterz
2024-10-04 13:32 ` [pve-devel] [PATCH manager 1/3] ui: workspace/user view: change password minimum length to 8 Shannon Sterz
2024-10-04 13:32 ` [pve-devel] [PATCH widget-toolkit 2/3] password edit: add a minimum length parameter Shannon Sterz
2024-11-11 20:38   ` [pve-devel] applied: " Thomas Lamprecht
2024-10-04 13:32 ` [pve-devel] [PATCH access-control 3/3] api: enforce a minimum length of 8 on new passwords Shannon Sterz
2024-11-11 22:11 ` [pve-devel] applied:-series [PATCH manager/widget-toolkit/access-control 0/3] enforce minimum of 8 characters " Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal