From 77e2a4a0b06d74d94e8a3bab31bc88ac5ff3e267 Mon Sep 17 00:00:00 2001 From: Paolo Perego Date: Fri, 21 Jul 2023 11:37:23 +0200 Subject: [PATCH] Adding RFC for password limitations removal epic task --- accepted/0000-remove-password-limitations.md | 31 ++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 accepted/0000-remove-password-limitations.md diff --git a/accepted/0000-remove-password-limitations.md b/accepted/0000-remove-password-limitations.md new file mode 100644 index 00000000..177b90b6 --- /dev/null +++ b/accepted/0000-remove-password-limitations.md @@ -0,0 +1,31 @@ +- Feature Name: remove_password_limitations +- Start Date: 2023-07-21 + +# Summary +Remove password limitations when setting up UYUNI with YAST + +Today we give users, strict limitations when choosing a password during UYUNI setup in YAST. We ask not to use spaces, $ or ! and we suggest that a 7 characters password is the lower bound for a good choice. +This suggests to skilled users that we store passwords somewhere in clear text and that we use them in shell scripts. This can also give advice to an attacker to find weaknesses in customer installations. + +I suggest moving over from these limitations, allowing passphrases over passwords with no restriction from characters a user would choose. + +# Motivation +Improve security posture of UYUNI / SUSE Manager product and give more confidence to customer that we handle secrets in a secure way. + +Using passphrase over password will give people a more secure product when dealing with authentication issues. + +# Detailed design +I can assume YAST saves password in configuration files used also in shell script for server management. + +My suggestion is to store all secrets in the database in an encrypted form (bcrypt or salted SHA 512|256) is good. +We will modify the SUMA login API and shell scripts to get a session token using the same mechanism as the WEB UI. Maybe a good idea is to translate all scripts from shell to python so to have requests library doing all work the under the hoods. + +# Drawbacks + +We had to rework all surrounding scripts and this can introduce regressions. + +# Alternatives +We can stay as-is, since the actual scenario works, however this will make our product to sound as a non mature solutions for enterprises in 2023. + +# Unresolved questions +None at the moment \ No newline at end of file