external password check

This commit is contained in:
Roland Gruber 2018-04-11 18:17:18 +02:00
parent 38d12b349d
commit 10f881c323
11 changed files with 48 additions and 1 deletions

View File

@ -1,3 +1,7 @@
June 2018
- Passwords can be checked against external service (e.g. https://api.pwnedpasswords.com/range)
19.03.2018 6.3 19.03.2018 6.3
- Server profile: added option if referential integrity overlay is active to skip cleanup actions - Server profile: added option if referential integrity overlay is active to skip cleanup actions
- Unix: several options are now specific to subaccount types (reconfiguration required!) - Unix: several options are now specific to subaccount types (reconfiguration required!)

View File

@ -151,6 +151,43 @@
<para>You can set the minimum password length and also the complexity of <para>You can set the minimum password length and also the complexity of
the passwords.</para> the passwords.</para>
<para><emphasis role="bold">External password check</emphasis></para>
<para>Please note that this option is only displayed if you have
installed the PHP Curl extension for your web server.</para>
<para>This will validate passwords using an external service. LAM
supports the protocol used by <ulink
url="https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange">Have
I been Pwned</ulink>. You can use the service directly or setup any
custom service with the same API. If the service reports an error LAM
will log an error message and the password will be accepted.</para>
<para>Example URL:
https://api.pwnedpasswords.com/range/{SHA1PREFIX}</para>
<para>LAM will build a SHA1 hash of the password and send parts of it to
the service.</para>
<para>The configured URL must contain the wildcard "{SHA1PREFIX}" which
will be replaced with the 5 character hash prefix. The service must then
return a list of text lines in the format "&lt;hash
suffix&gt;:&lt;number&gt;".</para>
<para>"&lt;hash suffix&gt;" needs to be the suffix of a known insecure
password. The "&lt;number&gt;" can be any numeric value and will be
ignored by LAM.</para>
<para>Example:</para>
<para>Password hash: 21BD10018A45C4D1DEF81644B54AB7F969B88D65</para>
<para>Hash prefix sent to service: 21BD1</para>
<para>Returned line: 0018A45C4D1DEF81644B54AB7F969B88D65:1</para>
<para>This will reject the password.</para>
</section> </section>
<section id="conf_logging"> <section id="conf_logging">

View File

@ -574,6 +574,12 @@
version. Unless explicitly noticed there is no need to install an version. Unless explicitly noticed there is no need to install an
intermediate release.</para> intermediate release.</para>
<section>
<title>6.3 -&gt; 6.4</title>
<para>No actions needed.</para>
</section>
<section> <section>
<title>6.2 -&gt; 6.3</title> <title>6.2 -&gt; 6.3</title>

Binary file not shown.

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 25 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 31 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 9.3 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 21 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 7.0 KiB

After

Width:  |  Height:  |  Size: 6.5 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 4.6 KiB

After

Width:  |  Height:  |  Size: 4.5 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View File

@ -172,7 +172,7 @@ $helpArray = array (
"248" => array ("Headline" => _('Password must not contain part of user/first/last name'), "248" => array ("Headline" => _('Password must not contain part of user/first/last name'),
"Text" => _('Specifies if the password must not contain 3 or more characters of the user/first/last name.')), "Text" => _('Specifies if the password must not contain 3 or more characters of the user/first/last name.')),
"249" => array ("Headline" => _('External password check'), "249" => array ("Headline" => _('External password check'),
"Text" => _('Please specify the URL (e.g. "https://api.pwnedpasswords.com/range/{SHA1PREFIX}") of your external password check and the severity if the check fails.')), "Text" => _('Please specify the URL (e.g. "https://api.pwnedpasswords.com/range/{SHA1PREFIX}") of your external password check.')),
"250" => array ("Headline" => _("Filter"), "250" => array ("Headline" => _("Filter"),
"Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")), "Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")),
"260" => array ("Headline" => _("Additional LDAP filter"), "260" => array ("Headline" => _("Additional LDAP filter"),