Enhance ClearOS 6 Password Policy

Background

Our customer using ClearOS 6 (professional edition) to store user password and almost all applications using it as external authentication so user only has to remember one password and Zimbra is one of the application.

Recently the public IP that used as mail outgoing traffic being listed in RBL and by our check in server we found there are some user account has been hijacked so it’s sending spam email to outside domain (gmail.com, outlook.com, etc) then i set suspected status to close in zimbra also reset it’s password randomly  but it’s happen quite frequently.

Then i created simple php script using clearOS API to scan weak password (based on list), surprisingly there are bunch of user using weak password such as “Passwd11”, “Paasword88”, etc. so i conclude the builtin password policy in ClearOS is not good enough to prevent it.

Solution

Based on my experience create and modifying ClearOS module (as it’s just a PHP code) i modified ClearOS user module. to increase password policy by following criteria:

  • Maximum length
  • Minimum length
  • Minimum uppercase
  • Minimum numeric character
  • Minimum punctuation character
  • Forbid user to use username within password
  • Forbid user to use password that listed in weak password list.

Some warning before going further:

  • The modification will be replaced if rpm package for app-users-core or app-user-profile is update, so it the package name will be list on exclude in yum file configuration.
  • If you are using ClearOS as PDC/BDC for Windows PC join domain, The password policy will not affect samba password policy, so may disabling user account password change from desktop.

Steps

note: all prefix [CA] is refer to /usr/clearos/apps/ to shorten text.

  • Create password validator file in path [CA]/users/libraries/Custom_Password_Validator.php with content.
  • Create list of weak password list in path [CA]/users/libraries/custom_weak_passwd_list.php
  • Create password policy rule file in path [CA]/users/libraries/custom_password_policy.php
  • Patch file [CA]/users/controllers/users.php for changing password dashboard in admin side as follow (begin with comment omarov). you may adjust it by your self.
///////////////////////////////////////////////////////////////////////////////
// D E P E N D E N C I E S
///////////////////////////////////////////////////////////////////////////////

use \clearos\apps\accounts\Accounts_Engine as Accounts_Engine;
use \clearos\apps\accounts\Accounts_Not_Initialized_Exception as Accounts_Not_Initialized_Exception;
use \clearos\apps\accounts\Accounts_Driver_Not_Set_Exception as Accounts_Driver_Not_Set_Exception;
use \clearos\apps\groups\Group_Engine as Group_Engine;

// omarov
use \clearos\apps\users\Custom_Password_Validator as Custom_Password_Validator;
clearos_load_library('users/Custom_Password_Validator');

and

        // Validate groups
        //----------------

        foreach ($all_groups as $group)
            $this->form_validation->set_policy("group[$group]", 'accounts/Accounts_Engine', 'validate_plugin_state');

        $form_ok = $this->form_validation->run();

        /* omarov: custom policy checker */
        $usrinf = $this->input->post('user_info');
        $usrn = isset($usrinf['core']['username']) ? $usrinf['core']['username'] : FALSE;

        if ($err = Custom_Password_Validator::validate($password, $usrn)){
                $this->form_validation->set_error('password', $err);
                $form_ok = FALSE;
        }
        /* omarov: end*/

  • Patch file [CA]/user_profile/controllers/user_profile.php for changing password dashboard in client side as follow (begin with comment omarov). you may adjust it by your self.
///////////////////////////////////////////////////////////////////////////////
// D E P E N D E N C I E S
///////////////////////////////////////////////////////////////////////////////

use \clearos\apps\accounts\Accounts_Engine as Accounts_Engine;
use \Exception as Exception;

// omarov:
use \clearos\apps\users\Custom_Password_Validator as Custom_Password_Validator;
clearos_load_library('users/Custom_Password_Validator');
    • and
        // Extra Validation
        //------------------

        $old_password = ($this->input->post('old_password')) ? $this->input->post('old_password') : '';
        $password = ($this->input->post('password')) ? $this->input->post('password') : '';
        $verify = ($this->input->post('verify')) ? $this->input->post('verify') : '';

        /* omarov begin: custom password policy */
        $usrn = $this->session->userdata('username');
        if ($err = Custom_Password_Validator::validate($password, $usrn)) {
            $this->form_validation->set_error('password', $err);
            $form_ok = FALSE;
        }
        /* omarov: end */
  • Add package app-users-core and app-user-profile in exclude list.
vim /etc/yum.conf

exclude=app-users-core app-user-profile

 

Result

Error message will be shown when user try to set weak password.

passwd_pol1.png

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s