Bug 676396 – users: Optionally use libpwquality for password handling

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 676396 - users: Optionally use libpwquality for password handling


Summary:	users: Optionally use libpwquality for password handling


Status:	RESOLVED FIXED

Product:	gnome-control-center
Classification:	Core
Component:	User Accounts
Version:	unspecified
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Control-Center Maintainers
QA Contact:	Control-Center Maintainers

URL:
Whiteboard:

Duplicates:	676392 676393 676394 676395 (view as bug list)
Depends on:
Blocks:

Reported:	2012-05-19 21:47 UTC by Matthias Clasen
Modified:	2012-05-23 14:44 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
users: Optionally use libpwquality for password handling (5.90 KB, patch) 2012-05-19 21:47 UTC, Matthias Clasen	reviewed	Details \| Review
users: Pass more information to password checker (4.56 KB, patch) 2012-05-19 21:47 UTC, Matthias Clasen	reviewed	Details \| Review
separate out password handling (12.39 KB, patch) 2012-05-23 13:19 UTC, Matthias Clasen	accepted-commit_now	Details \| Review
use libpwquality (6.72 KB, patch) 2012-05-23 13:20 UTC, Matthias Clasen	reviewed	Details \| Review
pass more information to password checker (3.77 KB, patch) 2012-05-23 13:21 UTC, Matthias Clasen	accepted-commit_now	Details \| Review

Description Matthias Clasen 2012-05-19 21:47:14 UTC

Using a library for password generation and quality checking
has the obvious benefit that we can have centralized policy
for password quality.

Comment 1 Matthias Clasen 2012-05-19 21:47:16 UTC

Created attachment 214462 [details] [review]
users: Optionally use libpwquality for password handling

Comment 2 Matthias Clasen 2012-05-19 21:47:35 UTC

Created attachment 214463 [details] [review]
users: Pass more information to password checker

Passing the username and the old password allows the password
quality check find more bad passwords.
Also, add a way to provide more information about what is
bad about a password.

Comment 3 Matthias Clasen 2012-05-19 22:16:32 UTC

The patch here applies on top of bug 633601

Comment 4 Matthias Clasen 2012-05-20 01:26:44 UTC

*** Bug 676392 has been marked as a duplicate of this bug. ***

Comment 5 Matthias Clasen 2012-05-20 01:27:47 UTC

*** Bug 676393 has been marked as a duplicate of this bug. ***

Comment 6 Matthias Clasen 2012-05-20 01:28:06 UTC

*** Bug 676394 has been marked as a duplicate of this bug. ***

Comment 7 Matthias Clasen 2012-05-20 01:28:31 UTC

*** Bug 676395 has been marked as a duplicate of this bug. ***

Comment 8 Matthias Clasen 2012-05-21 10:22:08 UTC

I've sent a patch to tmraz btw - the next release of libpwquality will include a pc file

Comment 9 Bastien Nocera 2012-05-21 11:52:51 UTC

Review of attachment 214462 [details] [review]:

Looks good. Any reason why we can't make it a hard requirement though?

Comment 10 Bastien Nocera 2012-05-21 11:53:42 UTC

Review of attachment 214463 [details] [review]:

Looks good.

Comment 11 André Klapper 2012-05-21 11:58:04 UTC

Is there any tarball directory? https://fedorahosted.org/libpwquality/ seems to only provide a Mercurial repository.

Comment 12 Matthias Clasen 2012-05-21 12:33:58 UTC

(In reply to comment #9)
> Review of attachment 214462 [details] [review]:
> 
> Looks good. Any reason why we can't make it a hard requirement though?

We could, but libpwquality is a fairly new project, and looks like a fedora-only thing so far, and the security guys are not really good at selling their stuff, unfortunately.

Making it initially optional will reduce the transition pain a bit.

Comment 13 Matthias Clasen 2012-05-21 12:34:59 UTC

(In reply to comment #11)
> Is there any tarball directory? https://fedorahosted.org/libpwquality/ seems to
> only provide a Mercurial repository.

https://fedorahosted.org/releases/l/i/libpwquality/

seems to have tarballs

Comment 14 Bastien Nocera 2012-05-23 11:07:51 UTC

libpwquality is in jhbuild now, waiting on updated patch, and mail to d-d-l.

Comment 15 Matthias Clasen 2012-05-23 13:19:38 UTC

Created attachment 214758 [details] [review]
separate out password handling

Comment 16 Matthias Clasen 2012-05-23 13:20:06 UTC

Created attachment 214759 [details] [review]
use libpwquality

Comment 17 Matthias Clasen 2012-05-23 13:21:03 UTC

Created attachment 214760 [details] [review]
pass more information to password checker

Comment 18 Bastien Nocera 2012-05-23 13:40:57 UTC

Review of attachment 214758 [details] [review]:

.

Comment 19 Bastien Nocera 2012-05-23 13:42:06 UTC

Review of attachment 214759 [details] [review]:

configure.ac only has some whitespace changes.

Comment 20 Bastien Nocera 2012-05-23 13:42:32 UTC

Review of attachment 214760 [details] [review]:

.

Comment 21 Bastien Nocera 2012-05-23 13:43:13 UTC

Also mention that apg isn't required anymore, for the libpwquality patch.

Comment 22 Matthias Clasen 2012-05-23 14:44:46 UTC

Thanks, pushed with those changes