Commit 16a3c065 authored by Paul Cammish's avatar Paul Cammish
Browse files

Merge branch 're-impliment_password_checks' into 'master'

Re-impliments password strength checking and tests

Closes #13, #16, and #17

See merge request sympl/sympl!27
parents fcd3e8ae 30534fd2
* 2019-06-10 - Re-implimented password strength checking and tests
* 2019-06-10 - Significant changes to 'admin' user
- Replaced 'admin' user with 'sympl' user, with the home directory at /home/sympl
- sympl-mysql writes /home/sympl/.my.cnf and 'mysql_password' files on install
......
......@@ -18,7 +18,7 @@
# --help Show usage
#
# --manual Show full manual
#
#
# DESCRIPTION
#
# Takes a password from standard input, as an argument, or the first line of a
......@@ -31,11 +31,11 @@
# 5 SHA-256
# 6 SHA-512
#
# It outputs the encrypted password to standard out, prepended with the marker.
# It outputs the encrypted password to standard out, prepended with the marker.
#
# EXAMPLES
#
# sympl-encrypt-password "my password"
# sympl-encrypt-password "my password"
#
# produces "{CRYPT}$1$M7$/ElErZcP9VN8fRgJfOKQa.".
#
......@@ -67,7 +67,7 @@ opts = GetoptLong.new(
[ '--marker', '-k', GetoptLong::OPTIONAL_ARGUMENT ]
)
manual = help = false
manual = help = false
$VERBOSELOCAL = false
algorithm = "6"
marker = "{CRYPT}"
......@@ -122,10 +122,10 @@ end
if ARGV.length == 0
warn "Reading from standard input" if $VERBOSELOCAL
#
#
# Read the password in from STDIN
#
password = STDIN.gets.chomp
password = STDIN.gets.chomp
elsif File.exist?(ARGV.first)
#
# Read the password from a file
......@@ -138,7 +138,7 @@ elsif File.exist?(ARGV.first)
#
if password.nil?
warn "No password found in #{ARGV.first}."
password = ARGV.first
password = ARGV.first
else
#
# Remove any stray line ending
......@@ -146,18 +146,26 @@ elsif File.exist?(ARGV.first)
password.chomp!
end
else
#
#
# Use the ARGV
#
warn "Using password from the command line" if $VERBOSELOCAL
password = ARGV.first
end
# TODO Replace this with updated version from ruby-password
#c = CrackLib::Fascist(password)
#warn "This is a weak password -- #{c.reason}." unless c.ok?
# Check the password strength and reject if it's too weak
reason = "OK"
pw = Password.new( password )
begin
pw.check
rescue Password::WeakPassword => reason
end
if reason != "OK"
warn "This is a weak password -- #{reason}."
end
#
#
# Collect some salt.
#
salt = 8.times.collect{SALT[rand(SALT.length)]}.join
......@@ -167,4 +175,3 @@ warn "Encrypting password #{password.inspect} using the #{ALGORITHMS[algorithm]}
# And encrypt and output.
puts marker+password.chomp.crypt("$#{algorithm}$#{salt}$")
sympl-common (9.0.190610.1) stable; urgency=medium
* Reimplimented password strength testing
-- Paul Cammish <sympl@kelduum.net> Mon, 10 Jun 2019 15:38:00 +0100
sympl-common (9.0.190610.0) stable; urgency=medium
* Moved pre-configuration of roundcube to sympl-common
......
......@@ -161,21 +161,28 @@ Symbiosis::Domains.each(prefix) do |domain|
next
end
# TODO: Again, repalce this with the updated calls to ruby-password.
# And yes, this means this doesn't really do anything now.
#
# c = CrackLib::Fascist(u.password)
#
# if c.ok?
# verbose "\tFTP password for #{u.username} is OK"
# else
# verbose "\tFTP password for #{u.username} is weak -- #{c.reason}"
# if u.username.include?('@')
# weak << "#{domain.ftp_users_file} (#{u.username}): #{c.reason}"
# else
# weak << "#{domain.ftp_password_file} (#{u.username}): #{c.reason}"
# end
# end
# Use ruby-password to check password strength
#
reason = "ok"
pw = Password.new( u.password )
begin
pw.check
rescue Password::WeakPassword => reason
end
if reason == 'ok'
verbose "\tFTP password for #{u.username} is OK"
else
verbose "\tFTP password for #{u.username} is weak -- #{reason}"
if u.username.include?('@')
weak << "#{domain.ftp_users_file} (#{u.username}): #{reason}"
else
weak << "#{domain.ftp_password_file} (#{u.username}): #{reason}"
end
end
end
......@@ -201,16 +208,25 @@ Symbiosis::Domains.each(prefix) do |domain|
next
end
# TODO: Replace this with ruby-password calls
# Beating in mind, this pretty much means this does nothing now.
#c = CrackLib::Fascist(mailbox.password)
#
#if c.ok?
# verbose "\tPassword for #{mailbox.local_part} is OK"
#else
# verbose "\tPassword for #{mailbox.local_part} is weak -- #{c.reason}"
# weak << "#{mailbox.password_file}: #{c.reason}"
#end
# Use ruby-password to check password strength
#
reason = "ok"
pw = Password.new( mailbox.password )
begin
pw.check
rescue Password::WeakPassword => reason
end
if reason == 'ok'
verbose "\tPassword for #{mailbox.local_part} is OK"
else
verbose "\tPassword for #{mailbox.local_part} is weak -- #{reason}"
weak << "#{mailbox.password_file}: #{reason}"
end
end
end
......
sympl-mail (9.0.190610.1) stable; urgency=medium
* Re-implimented password strength testing
-- Paul Cammish <sympl@kelduum.net> Mon, 10 Jun 2019 15:58:00 +0100
sympl-mail (9.0.190610.0) stable; urgency=medium
* Adjusted Dependencies
......
......@@ -21,9 +21,9 @@ module Symbiosis
def self.syslog=(s)
@@syslog = s
end
include EventMachine::Protocols::LineProtocol
# C: <open connection to port 106>
# S: 200 poppassd (version 1.1) ready.
# C: USER fred
......@@ -56,7 +56,7 @@ module Symbiosis
@username = $1
@authorised = false
send_data "300 Please send your current password\r\n"
when /^PASS (.+)$/i
@authorised = false
ans = do_authorise($1)
......@@ -72,7 +72,7 @@ module Symbiosis
else
send_data "500 I don't understand what you're saying.\r\n"
end
rescue StandardError => err
send_data "500 Something bad has happened. Sorry!\r\n"
......@@ -124,17 +124,23 @@ module Symbiosis
return "400 Please login before trying to change your password\r\n"
end
# TODO: Reimpliment this with ruby-password
# WARN: Password strength checking is disabled
#
# c = CrackLib::Fascist(passwd)
#
# unless c.ok?
# syslog.notice "Password change failed for user #{@mailbox.username} -- #{c.reason}"
# return "400 Sorry, that password is too weak -- #{c.reason}\r\n"
# end
#
# Check password strength and reject if too weak
#
reason = "OK"
pw = Password.new( passwd )
begin
pw.check
rescue Password::WeakPassword => reason
end
if reason != "OK"
syslog.notice "Password change failed for user #{@mailbox.username} -- #{reason}"
return "400 Sorry, that password is too weak -- #{reason}\r\n"
end
begin
@mailbox.password = passwd
rescue StandardError => err
syslog.err "Password change failed for user #{@mailbox.username} because #{err.to_s}"
......
......@@ -153,26 +153,23 @@ class TestEmailPoppassd < Test::Unit::TestCase
end
def test_weak_pasword
@mailbox.password = "abc"
assert @mailbox.login("abc")
new_password = "typewriter"
results = do_test_script(["USER #{@mailbox.username}", "PASS abc", "NEWPASS #{new_password}", "QUIT"])
# we should get back 200 (hello), 300 (please log in), 200 (authd), 400 (temp fail), 200 (bye)
expected_results = [/^2\d\d /, /^3\d\d /, /^2\d\d/, /^4\d\d /, /^2\d\d /]
results.zip(expected_results).each do |r, e|
assert_match e, r
end
# Disabled due to Issue #17 - "symbiosis-password-test doesn't do anything serious"
#
# @mailbox.password = "abc"
# assert @mailbox.login("abc")
#
# new_password = "typewriter"
#
# results = do_test_script(["USER #{@mailbox.username}", "PASS abc", "NEWPASS #{new_password}", "QUIT"])
#
# # we should get back 200 (hello), 300 (please log in), 200 (authd), 400 (temp fail), 200 (bye)
# expected_results = [/^2\d\d /, /^3\d\d /, /^2\d\d/, /^4\d\d /, /^2\d\d /]
#
# results.zip(expected_results).each do |r, e|
# assert_match e, r
# end
#
# # now make sure the password hasn't changed.
# assert(@mailbox.login("abc"))
# assert(!@mailbox.login(new_password))
# now make sure the password hasn't changed.
assert(@mailbox.login("abc"))
assert(!@mailbox.login(new_password))
end
def do_skip(msg)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment