diff --git a/openstack/keystone/debian/deb_patches/0003-Enforce-new-password-rules-to-keystone-accounts.patch b/openstack/keystone/debian/deb_patches/0003-Enforce-new-password-rules-to-keystone-accounts.patch new file mode 100644 index 00000000..5021c0e1 --- /dev/null +++ b/openstack/keystone/debian/deb_patches/0003-Enforce-new-password-rules-to-keystone-accounts.patch @@ -0,0 +1,57 @@ +From 4a5f7c44497c079844dbf86ebc3c92bf9eba7f91 Mon Sep 17 00:00:00 2001 +From: Karla Felix +Date: Thu, 4 Apr 2024 13:17:13 -0300 +Subject: [PATCH] Enforce new password rules to keystone accounts + +This review will be enforcing new password rules to Keystone accounts, +the new rules are: +- Minimum 12 characters +- At least 1 Uppercase letter +- At least 1 number +- At least 1 special character +- Cannot reuse past 5 passwords + +Signed-off-by: Karla Felix +--- + debian/stx/password-rules.conf | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/debian/stx/password-rules.conf b/debian/stx/password-rules.conf +index ac18ef9..2f10f8e 100644 +--- a/debian/stx/password-rules.conf ++++ b/debian/stx/password-rules.conf +@@ -18,20 +18,27 @@ + # feature, values must be greater than 1. This feature depends on the `sql` + # backend for the `[identity] driver`. (integer value) + # Minimum value: 1 +-unique_last_password_count = 3 ++unique_last_password_count = 5 + + # The regular expression used to validate password strength requirements. By + # default, the regular expression will match any password. The following is an + # example of a pattern which requires at least 1 letter, 1 digit, and have a +-# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature ++# minimum length of 12 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{12,}$ This feature + # depends on the `sql` backend for the `[identity] driver`. (string value) +-password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$ ++password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{12,}$ + + # Describe your password regular expression here in language for humans. If a + # password fails to match the regular expression, the contents of this + # configuration variable will be returned to users to explain why their + # requested password was insufficient. (string value) +-password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character ++password_regex_description = Password must have a minimum length of 12 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character ++ ++# Describe in a message if the password input does not comply with the regex ++# rules. ++password_regex_error_description = Password does not fit one of this requirements: have a minimum lenght of 12 characters, contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character. ++ ++# Specifies the number of days after which passwords expire and must be changed. ++password_expires_days = 90 + + # The number of seconds a user account will be locked when the maximum number + # of failed authentication attempts (as specified by `[security_compliance] +-- +2.34.1 + diff --git a/openstack/keystone/debian/deb_patches/series b/openstack/keystone/debian/deb_patches/series index f03dacc3..9ae19b64 100644 --- a/openstack/keystone/debian/deb_patches/series +++ b/openstack/keystone/debian/deb_patches/series @@ -1,2 +1,3 @@ 0001-Add-stx-support.patch 0002-Add-login-fail-lockout-security-compliance-options.patch +0003-Enforce-new-password-rules-to-keystone-accounts.patch \ No newline at end of file