diff --git a/openstack/keystone/debian/deb_patches/0002-Add-login-fail-lockout-security-compliance-options.patch b/openstack/keystone/debian/deb_patches/0002-Add-login-fail-lockout-security-compliance-options.patch new file mode 100644 index 00000000..b65d20cc --- /dev/null +++ b/openstack/keystone/debian/deb_patches/0002-Add-login-fail-lockout-security-compliance-options.patch @@ -0,0 +1,44 @@ +From 8cf5b37f70ade287cb5eaea7dd48d1eeb1ae737d Mon Sep 17 00:00:00 2001 +From: Andy Ning +Date: Mon, 14 Mar 2022 10:35:39 -0400 +Subject: [PATCH] Add login fail lockout security compliance options + +Added two login fail lockout security compliance options: +lockout_duration +lockout_failure_attempts + +Signed-off-by: Andy Ning +--- + debian/stx/password-rules.conf | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/debian/stx/password-rules.conf b/debian/stx/password-rules.conf +index e7ce656..ac18ef9 100644 +--- a/debian/stx/password-rules.conf ++++ b/debian/stx/password-rules.conf +@@ -32,3 +32,22 @@ password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-? + # configuration variable will be returned to users to explain why their + # requested password was insufficient. (string value) + password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character ++ ++# The number of seconds a user account will be locked when the maximum number ++# of failed authentication attempts (as specified by `[security_compliance] ++# lockout_failure_attempts`) is exceeded. Setting this option will have no ++# effect unless you also set `[security_compliance] lockout_failure_attempts` ++# to a non-zero value. This feature depends on the `sql` backend for the ++# `[identity] driver`. (integer value) ++# Minimum value: 1 ++lockout_duration=1800 ++ ++# The maximum number of times that a user can fail to authenticate before the ++# user account is locked for the number of seconds specified by ++# `[security_compliance] lockout_duration`. This feature is disabled by ++# default. If this feature is enabled and `[security_compliance] ++# lockout_duration` is not set, then users may be locked out indefinitely ++# until the user is explicitly enabled via the API. This feature depends on ++# the `sql` backend for the `[identity] driver`. (integer value) ++# Minimum value: 1 ++lockout_failure_attempts=5 +-- +2.25.1 + diff --git a/openstack/keystone/debian/deb_patches/series b/openstack/keystone/debian/deb_patches/series index 0f1e4261..f03dacc3 100644 --- a/openstack/keystone/debian/deb_patches/series +++ b/openstack/keystone/debian/deb_patches/series @@ -1 +1,2 @@ 0001-Add-stx-support.patch +0002-Add-login-fail-lockout-security-compliance-options.patch