You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by jm...@apache.org on 2017/01/05 22:30:16 UTC
[1/3] incubator-guacamole-manual git commit: GUACAMOLE-36: Document
JDBC auth's password policy properties.
Repository: incubator-guacamole-manual
Updated Branches:
refs/heads/master 07e4ee423 -> b7dc148b5
GUACAMOLE-36: Document JDBC auth's password policy properties.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/commit/b76c7f59
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/tree/b76c7f59
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/diff/b76c7f59
Branch: refs/heads/master
Commit: b76c7f591be21587c0d4c5fad64178a71f43d8a2
Parents: 79ada45
Author: Michael Jumper <mj...@apache.org>
Authored: Tue Aug 23 12:11:33 2016 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Wed Oct 19 23:08:32 2016 -0700
----------------------------------------------------------------------
src/chapters/jdbc-auth.xml | 94 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 94 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/blob/b76c7f59/src/chapters/jdbc-auth.xml
----------------------------------------------------------------------
diff --git a/src/chapters/jdbc-auth.xml b/src/chapters/jdbc-auth.xml
index e121409..5a0f236 100644
--- a/src/chapters/jdbc-auth.xml
+++ b/src/chapters/jdbc-auth.xml
@@ -455,6 +455,100 @@ postgresql-password: <replaceable>some_password</replaceable></programlisting>
<para>Be sure to specify the correct username and password for the database user you
created, and to specify the correct database. Authentication will not work if these
parameters are not correct.</para>
+ <section>
+ <title>Enforcing password policies</title>
+ <para>Configuration options are available for enforcing rules intended to encourage
+ password complexity and regular changing of passwords. None of these options are
+ enabled by default, but can be selectively enabled through additional properties
+ in <filename>guacamole.properties</filename>.</para>
+ <section>
+ <title>Password complexity</title>
+ <para>Administrators can require that passwords have a certain level of
+ complexity, such as having both uppercase and lowercase letters ("multiple
+ case"), at least one digit, or at least one symbol, and can prohibit
+ passwords from containing the user's own username.</para>
+ <para>For the sake of password content, the database authentication defines a
+ "digit" as any numeric character. This takes non-English languages into
+ account, and is not be simply "0" thorough "9". There are quite a few <link
+ xlink:href="https://en.wikipedia.org/wiki/Numerals_in_Unicode">numeric
+ characters defined by Unicode</link>. A "symbol" is defined as any
+ non-alphanumeric character - any character which Unicode does not define as
+ alphabetic or numeric.</para>
+ <para>The check for whether a password contains the user's own username is
+ performed in a case-insensitive manner. For example, if the user's username
+ is "phil", the passwords "ch!0roPhil" and "PHIL-o-dendr0n" would still be
+ prohibited.</para>
+ <informalexample>
+ <programlisting># MySQL
+mysql-user-password-min-length: <replaceable>8</replaceable>
+mysql-user-password-require-multiple-case: true
+mysql-user-password-require-symbol: true
+mysql-user-password-require-digit: true
+mysql-user-password-prohibit-username: true
+
+# PostgreSQL
+postgresql-user-password-min-length: <replaceable>8</replaceable>
+postgresql-user-password-require-multiple-case: true
+postgresql-user-password-require-symbol: true
+postgresql-user-password-require-digit: true
+postgresql-user-password-prohibit-username: true</programlisting>
+ </informalexample>
+ </section>
+ <section>
+ <title>Password age / expiration</title>
+ <para>"Password age" refers to two separate concepts:</para>
+ <orderedlist>
+ <listitem>
+ <para>Requiring users to change their password after a certain amount of
+ time has elapsed since the last password change (maximum password
+ age).</para>
+ </listitem>
+ <listitem>
+ <para>Preventing users from changing their password too frequently
+ (minimum password age).</para>
+ </listitem>
+ </orderedlist>
+ <para>In both cases, these values are specified in units of days, and are both
+ disabled by default.</para>
+ <para>While it may seem strange to prevent users from changing their password
+ too frequently, it does make sense if you are concerned that rapid password
+ changes may defeat password expiration (users could immediately change the
+ password back) or tracking of password history (users could cycle through
+ passwords until the history is exhausted and their old password is
+ back).</para>
+ <para>So that administrators can always intervene in the case that a password
+ needs to be reset despite restrictions, the minimum age restriction does not
+ apply to any user with permission to administer the system.</para>
+ <informalexample>
+ <programlisting># MySQL
+mysql-user-password-min-age: <replaceable>7</replaceable>
+mysql-user-password-max-age: <replaceable>90</replaceable>
+
+# PostgreSQL
+postgresql-user-password-min-age: <replaceable>7</replaceable>
+postgresql-user-password-max-age: <replaceable>90</replaceable></programlisting>
+ </informalexample>
+ </section>
+ <section>
+ <title>Preventing password reuse</title>
+ <para>If desired, Guacamole can keep track of each user's most recently used
+ passwords, and will prohibit reuse of those passwords until the password has
+ been changed sufficiently many times. By default, Guacamole will not keep
+ track of old passwords.</para>
+ <para>Note that these passwords are hashed in the same manner as each user's
+ current password. When a user's password is changed, the hash, salt, etc.
+ currently stored for that user is actually just copied verbatim (along with
+ a timestamp) into a list of historical passwords, with older entries from
+ this list being automatically deleted.</para>
+ <informalexample>
+ <programlisting># MySQL
+mysql-user-password-history-size: <replaceable>6</replaceable>
+
+# PostgreSQL
+postgresql-user-password-history-size: <replaceable>6</replaceable></programlisting>
+ </informalexample>
+ </section>
+ </section>
<section xml:id="jdbc-auth-concurrency">
<title>Concurrent use of Guacamole connections</title>
<para>The database authentication module provides configuration options to restrict
[2/3] incubator-guacamole-manual git commit: GUACAMOLE-36: Document
password policy changes to JDBC auth schema.
Posted by jm...@apache.org.
GUACAMOLE-36: Document password policy changes to JDBC auth schema.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/commit/79ada452
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/tree/79ada452
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/diff/79ada452
Branch: refs/heads/master
Commit: 79ada4523ef0feec914e0d2f93e11d79415163a8
Parents: 7d53ce2
Author: Michael Jumper <mj...@apache.org>
Authored: Tue Aug 23 11:03:13 2016 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Wed Oct 19 23:08:32 2016 -0700
----------------------------------------------------------------------
src/chapters/jdbc-auth.xml | 82 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/blob/79ada452/src/chapters/jdbc-auth.xml
----------------------------------------------------------------------
diff --git a/src/chapters/jdbc-auth.xml b/src/chapters/jdbc-auth.xml
index 05736b6..e121409 100644
--- a/src/chapters/jdbc-auth.xml
+++ b/src/chapters/jdbc-auth.xml
@@ -628,6 +628,17 @@ postgresql-absolute-max-connections: 0</programlisting>
</listitem>
</varlistentry>
<varlistentry>
+ <term><property>password_date</property></term>
+ <listitem>
+ <para>The date (and time) that the password was last changed. If not
+ provided, this will automatically be set to the current time. When a
+ password is changed via the Guacamole interface, this value is updated.
+ This, along with the contents of the
+ <classname>guacamole_user_password_history</classname> table, is
+ used to enforce password policies.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><property>disabled</property></term>
<listitem>
<para>Whether login attempts as this user account should be rejected. If
@@ -732,6 +743,77 @@ INSERT INTO guacamole_user (username, password_salt, password_hash)
<methodname>SHA2</methodname> function, you will need to calculate the SHA-256
value manually (by using the <command>sha256sum</command> command, for
example).</para>
+ <section xml:id="jdbc-auth-schema-password-history">
+ <title>Password history</title>
+ <indexterm>
+ <primary><classname>guacamole_user_password_history</classname></primary>
+ </indexterm>
+ <para>When a user's password is changed, a copy of the previous password's hash and
+ salt is made within the <classname>guacamole_user_password_history</classname>.
+ Each entry in this table is associated with the user whose password changed,
+ along with the date that password first applied.</para>
+ <para>Old entries within this table are automatically deleted on a per-user basis
+ depending on the requirements of the password policy. For example, if the
+ password policy has been configured to require that users not reuse any of their
+ previous six passwords, then there will be no more than six entries in this
+ table for each user.</para>
+ <variablelist>
+ <varlistentry>
+ <term><property>password_history_id</property></term>
+ <listitem>
+ <para>The unique integer associated with each password history record.
+ This value is generated automatically when a new entry is inserted
+ into the <classname>guacamole_user_password_history</classname>
+ table.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><property>user_id</property></term>
+ <listitem>
+ <para>The value of the <property>user_id</property> column from the
+ entry in <classname>guacamole_user</classname> associated with the
+ user who previously had this password.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><property>password_hash</property></term>
+ <listitem>
+ <para>The hashed password specified within the
+ <property>password_hash</property> column of
+ <classname>guacamole_user</classname> prior to the password
+ being changed.</para>
+ <para>In most cases, this will be a salted hash, though it is possible
+ to force the use of unsalted hashes when making changes to the
+ database manually or through an external system.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><property>password_salt</property></term>
+ <listitem>
+ <para>The salt value specified within the
+ <property>password_salt</property> column of
+ <classname>guacamole_user</classname> prior to the password
+ being changed.</para>
+ <para>This will always be set for users whose passwords are set through
+ Guacamole, but it is possible to use unsalted password hashes when
+ inserted manually or through an external system, in which case this
+ may be <constant>NULL</constant>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><property>password_date</property></term>
+ <listitem>
+ <para>The date (and time) that the password was set. The time that the
+ password ceased being used is recorded either by the password_date
+ of the next related entry in
+ <classname>guacamole_user_password_history</classname> or
+ <property>password_date</property> of
+ <classname>guacamole_user</classname> (if there is no such
+ history entry).</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </section>
</section>
<section xml:id="jdbc-auth-schema-connections">
<title>Connections and parameters</title>
[3/3] incubator-guacamole-manual git commit: GUACAMOLE-36: Merge
documentation for password policies and associated schema changes.
Posted by jm...@apache.org.
GUACAMOLE-36: Merge documentation for password policies and associated schema changes.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/commit/b7dc148b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/tree/b7dc148b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/diff/b7dc148b
Branch: refs/heads/master
Commit: b7dc148b540233184297fea8bdb32e31fde79c90
Parents: 07e4ee4 b76c7f5
Author: James Muehlner <ja...@guac-dev.org>
Authored: Thu Jan 5 14:29:34 2017 -0800
Committer: James Muehlner <ja...@guac-dev.org>
Committed: Thu Jan 5 14:29:34 2017 -0800
----------------------------------------------------------------------
src/chapters/jdbc-auth.xml | 176 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 176 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/blob/b7dc148b/src/chapters/jdbc-auth.xml
----------------------------------------------------------------------