self-service-password
self-service-password copied to clipboard
Published
20 hours ago •
ltb-project
ltb-project
sugesting samba filter as well.
Based upon https://www.mylinuxplace.com/tag/password-compexity/ I edited the example. Its perl filter for samba password renewal. (not for windows domains). So it can use the same self-service-password rules, upper lower number special and forbidden chars. Fuzzy matching not included (as I wasnt running latest vesion of ssp). Maybe it's something to add to this site /repo. So the rules work on both sides and can be the same, direct client password change and website password change.
#!/usr/bin/perl -w
# This Script will check password complexity
$min_length=11;
$min_upercase=1;
$min_lowercase=1;
$min_digits=1;
$min_specialchar=1;
#minimal character categories of which a password should exist as a-z , A-Z ,0-9, special chars
$min_charactercategories=3;
$specialchars='!,@,#,$,%,^,&,*,(,),-,_,+,=';
$forbiddenchars = '*,(,),&,|,%';
# get the password from standard input ( possible to pipe )
$str_pass=<STDIN> ;
# now lets start check and update the counters is we find something
# but first lets set all counters to zero
$ctr_length=-1;
$ctr_upercase=0;
$ctr_lowercase=0;
$ctr_digits=0;
$ctr_specialcar=0;
$ctr_forbidden=0;
$cat_lower = 0;
$cat_upper = 0;
$cat_number = 0;
$cat_special =0;
# conver the string to array
@array_pass = split('',$str_pass);
# convert specias carachter into array
@arrayspecialchars = split(',',$specialchars);
@arrayforbiddenchars = split(','$forbiddenchars);
foreach $pass_char (@array_pass)
{
$ctr_length++;
# check upercase
if($pass_char =~ /[A-Z]/)
{
$ctr_upercase++;
$cat_upper=1;
}
# check lowercase
elsif($pass_char =~ /[a-z]/)
{
$ctr_lowercase++;
$cat_lower=1;
}
# check digits
elsif($pass_char =~ /[0-9]/)
{
$ctr_digits++;
$cat_number=1;
}
else
{
# check special characters
foreach $schar (@arrayspecialchars)
{
if($pass_char =~ /Q$schar/)
{
$ctr_specialcar++;
$cat_special=1;
}
}
foreach $schar (@arrayforbiddenchars)
{
if($pass_char =~ /Q$schar/)
{
$ctr_forbidden++;
}
}
}
}
# check if we reached minimal length
if($ctr_length<$min_length)
{
print "too short , minimum $min_length and got $ctr_length n";
exit 1 ;
}
# check if we reached minimal UPER case
if($ctr_upercase<$min_upercase)
{
print "not enough upercase , minimum $min_upercase and got $ctr_upercase n";
exit 2;
}
# check if we reached minimal lower case
if($ctr_lowercase<$min_lowercase)
{
print "not enough lowercase , minimum $min_lowercase and got $ctr_lowercase n";
exit 3;
}
# check if we reached minimal digits
if($ctr_digits<$min_digits)
{
print "not enough digits , minimum $min_digits and got $ctr_digits n";
exit 3;
}
# check if we reached minimal special characters
if($ctr_specialcar<$min_specialchar)
{
print "not enough special characters , minimum $min_specialchar and got $ctr_specialcar n";
exit 4;
}
# Added by peterboos to have the same password pollicy on on Samba as on the SSP websites.
# SSP has some protection against symbols that could be used in php injection attacks.
# which might not be the best.. (all scripts on any site should be safe against that).
if($ctr_forbidden>0)
{
print "its not allowed to use these letters $forbiddenchars in the password";
exit 5 ;
}
# Added by Peter Boos to be the same as SSP site.
if ( ($cat_lower+$cat_upper+$cat_number+$cat_special)<$min_charactercategories)
{
print "Password is not complex enough, there are lower / upper case number and special characters available to you";
exit 6;
}
# if you got up to here , meaning you passed it all with success
# we can now return a non error exit
exit 0;
I wonder if the best solution would not be to call the new web service /rest/v1/checkpassword.php