← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #42201

[Bug 1521805] Re: Exceeding max password length of 4096 doesn't prompt error

  Thread PreviousDate PreviousThread Next 
Hi Karan,

You should be able to enforce strict password checking in keystone [0].
The strict_password_check should pull in the max_password_length value
in it's check [1]. Strict password checking isn't enabled by default.
Try enabling that in your test and see if that helps. I was able to
create a user with a 9k length password without strict password. After
enabled strict password checking, I'm unable to create users with long
passwords:

$ openstack user create --password $LONG_PASSWORD garbage-user
The password length must be less than or equal to 4096. The server could not comply with the request because the password is invalid. (HTTP 403) (Request-ID: req-aeda2e94-ce57-4afc-baa8-d74a832e3404)

The following came from the keystone log:

2015-12-02 22:22:07.011 8637 WARNING keystone.common.wsgi [req-
aeda2e94-ce57-4afc-baa8-d74a832e3404 abc1b51cb8c343348e8aa817946955a1
1d14fe4441fb4b0e838300da363f4b29 - default default] The password length
must be less than or equal to 4096. The server could not comply with the
request because the password is invalid.

Let me know if this helps and if you still hit issues we can reopen the
bug.

[0] https://github.com/openstack/keystone/blob/5fb8db8a5d89447d2dab5bdee76a978e3f52aea2/etc/keystone.conf.sample#L70-L74
[1] https://github.com/openstack/keystone/blob/5fb8db8a5d89447d2dab5bdee76a978e3f52aea2/etc/keystone.conf.sample#L886-L889

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1521805

Title:
  Exceeding max password length of 4096 doesn't prompt error

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  While creating a user or updating the password of user, if the
  password exceeds max 4096 characters then no error appears to the
  user. And it seems its working normal.

  while creating or updating user's password there could be 3 scenarios:
  1) Password < 4096 characters 
  2) Password = 4096 characters
  3) Password > 4096 characters

  In case (1) password can be set and used normally 
  In case (2) and (3) password can be set, but if this user's credentials are used it gives authentication error.

  
  For case (2) and (3) while setting or updating the password alert message should be given to the user, like password exceeds maximum acceptable characters length.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1521805/+subscriptions

References

  Thread PreviousDate PreviousThread Next