Details

      Description

      Guacamole currently lacks support for enforcement of password policies within the existing authentication backends. This is not relevant for the backends which are read-only, but definitely makes a difference for the database authentication.

      We should provide password policies in line with current de facto standards. Specifically, the following restrictions need to be supported:

      1. Minimum password age (how long before the password CAN be changed)
      2. Maximum password age (how long before the password MUST be changed)
      3. Minimum password length
      4. Minimum number of character classes:
        1. Uppercase
        2. Lowercase
        3. Symbols
        4. Digits
      5. Must not containing the username
      6. Must not match last N passwords

        Issue Links

          Activity

          Hide
          mike.jumper Michael Jumper added a comment - - edited

          NOTE: I am tasked with beginning work on this very shortly via downstream issue GUAC-1546.

          Show
          mike.jumper Michael Jumper added a comment - - edited NOTE: I am tasked with beginning work on this very shortly via downstream issue GUAC-1546 .
          Hide
          mike.jumper Michael Jumper added a comment -

          Should be all done now, pending future review and merge. The changes are in a hierarchy of branches in my fork on GitHub:

          Current branch hierarchy for future merge

          incubator-guacamole-client

          mastertranslatable-messagespassword-policiespassword-agingpassword-history

          Branch name Description
          translatable-messages Define mechanism for throwing translatable error messages from extensions, allowing for substitution of arbitrary values and pluralization.
          password-policies Password policies based on content only (length, forbid username, require uppercase/lowercase/digits/symbols).
          password-aging Password policies based on password age only (password expiry, password reset too recently).
          password-history Password policies based on historical password records (do not repeat any of last N passwords).
          incubator-guacamole-manual

          masterpassword-policies

          Branch name Description
          password-policies Documentation of password policy options and schema changes.

          Obviously can't move forward with PRs until after 0.9.10-incubating.

          Show
          mike.jumper Michael Jumper added a comment - Should be all done now, pending future review and merge. The changes are in a hierarchy of branches in my fork on GitHub: Current branch hierarchy for future merge incubator-guacamole-client master → translatable-messages → password-policies → password-aging → password-history Branch name Description translatable-messages Define mechanism for throwing translatable error messages from extensions, allowing for substitution of arbitrary values and pluralization. password-policies Password policies based on content only (length, forbid username, require uppercase/lowercase/digits/symbols). password-aging Password policies based on password age only (password expiry, password reset too recently). password-history Password policies based on historical password records (do not repeat any of last N passwords). incubator-guacamole-manual master → password-policies Branch name Description password-policies Documentation of password policy options and schema changes. Obviously can't move forward with PRs until after 0.9.10-incubating.

            People

            • Assignee:
              mike.jumper Michael Jumper
              Reporter:
              mike.jumper Michael Jumper
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development