Add support for MAX PASSWORD LENGTH
As per NIST Guideline https://pages.nist.gov/800-63-4/sp800-63b.html
Verifiers and CSPs SHOULD permit a MaxPasswordLength must be at least
64 characters therefore added this support. Added this as a meson option
each organization can configure their own MAX PASSWORD LENGTH. Default
value is as per NIST guideline recommendation
Testing:
Validated MinPasswordLangth > MaxPasswordLength test cases and worked
as expected.
Change-Id: I75b0056a0acc038d3103016ebbdaa6be08df74a1
Signed-off-by: Chandramohan Harkude <chandramohan.harkude@gmail.com>
diff --git a/user_mgr.cpp b/user_mgr.cpp
index f4e745f..2aa15e8 100644
--- a/user_mgr.cpp
+++ b/user_mgr.cpp
@@ -60,6 +60,7 @@
static constexpr int success = 0;
static constexpr int failure = -1;
+uint8_t maxPasswdLength = MAX_PASSWORD_LENGTH;
// pam modules related
static constexpr const char* minPasswdLenProp = "minlen";
static constexpr const char* remOldPasswdCount = "remember";
@@ -589,14 +590,15 @@
{
return value;
}
- if (value < minPasswdLength)
+ if (value < minPasswdLength || value > maxPasswdLength)
{
+ std::string valueStr = std::to_string(value);
lg2::error("Attempting to set minPasswordLength to {VALUE}, less than "
- "{MINVALUE}",
- "VALUE", value, "MINVALUE", minPasswdLength);
- elog<InvalidArgument>(
- Argument::ARGUMENT_NAME("minPasswordLength"),
- Argument::ARGUMENT_VALUE(std::to_string(value).c_str()));
+ "{MINPASSWORDLENGTH} or greater than {MAXPASSWORDLENGTH}",
+ "VALUE", value, "MINPASSWORDLENGTH", minPasswdLength,
+ "MAXPASSWORDLENGTH", maxPasswdLength);
+ elog<InvalidArgument>(Argument::ARGUMENT_NAME("minPasswordLength"),
+ Argument::ARGUMENT_VALUE(valueStr.data()));
}
if (setPamModuleConfValue(pwQualityConfigFile, minPasswdLenProp,
std::to_string(value)) != success)