You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@archiva.apache.org by Thad Humphries <th...@gmail.com> on 2015/09/30 18:11:47 UTC
Disable password timeout, reset
I set up an Archiva 2.2 server a while back, and thought I'd succeeded in
disabling the requirement to renew the password after so many days, not
allow reuse of the last X number of passwords, etc. Earlier this week I was
rudely surprised to find that I had to reset my password. How can I stop
this?
I am running Archiva on port 8080, starting it with
$ cd /opt/apache-archiva-2.2.0
$ nohup bin/archiva console start &
I created a ~/.m2/security.properties file based on the one at
http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html.
Mine is shown below. The two properties in bold I thought would disable
password expiration.
# http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html
#
https://github.com/apache/archiva-redback-core/blob/master/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties
# Security Policies
#security.policy.password.encoder=
*security.policy.password.previous.count=-1security.policy.password.expiration.enabled=false*
security.policy.password.expiration.days=180
security.policy.password.expiration.notify.days=10
security.policy.allowed.login.attempt=10
# Password Rules
security.policy.password.rule.alphanumeric.enabled=false
security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=8
security.policy.password.rule.musthave.enabled=true
security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
security.policy.password.rule.reuse.enabled=true
security.policy.password.rule.nowhitespace.enabled=true
Maybe that's not enough? In looking a the archiva-redback-core on GitHub, I
see *two additional settings* under Security Policies:
# turn off the perclick enforcement of various security policies, slightly
# more heavyweight since it will ensure that the User object on each click
# is up to date
security.policy.strict.enforcement.enabled=true
security.policy.strict.force.password.change.enabled=true
So, if I add these properties to my ~/.m2/security.properties file, set
both to false, kill Archiva and restart it, will this disable the password
reset requirement? If not, how can I do so?
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
Re: Disable password timeout, reset
Posted by Oliver Erhart <ol...@gmail.com>.
You could try to use the Redback Runtime Configuration [1]. With Archiva
2.2.0 this works for me. At least the number of reusing your previous
passwords (security.policy.password.previous.count).
[1]
http://archiva.apache.org/docs/2.2.0/adminguide/redback-runtime-configuration.html#Runtime_properties
--
Oliver Erhart
Thad Humphries <th...@gmail.com> schrieb am Do., 7. Jan. 2016 um
15:27 Uhr:
> On Thu, Oct 1, 2015 at 7:47 AM, Olivier Lamy <ol...@apache.org> wrote:
>
> > Hi,
> >
> > On 1 October 2015 at 02:11, Thad Humphries <th...@gmail.com>
> > wrote:
> >
> > > I set up an Archiva 2.2 server a while back, and thought I'd succeeded
> in
> > > disabling the requirement to renew the password after so many days, not
> > > allow reuse of the last X number of passwords, etc. Earlier this week I
> > was
> > > rudely surprised to find that I had to reset my password. How can I
> stop
> > > this?
> > >
> > > I am running Archiva on port 8080, starting it with
> > >
> > > $ cd /opt/apache-archiva-2.2.0
> > > $ nohup bin/archiva console start &
> > >
> > > I created a ~/.m2/security.properties file based on the one at
> > >
> >
> http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html.
> > > Mine is shown below. The two properties in bold I thought would disable
> > > password expiration.
> > >
> > > #
> > >
> >
> http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html
> > > #
> > >
> > >
> >
> https://github.com/apache/archiva-redback-core/blob/master/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties
> > >
> > > # Security Policies
> > > #security.policy.password.encoder=
> > >
> > >
> > >
> >
> *security.policy.password.previous.count=-1security.policy.password.expiration.enabled=false*
> > > security.policy.password.expiration.days=180
> > > security.policy.password.expiration.notify.days=10
> > > security.policy.allowed.login.attempt=10
> > >
> > > # Password Rules
> > > security.policy.password.rule.alphanumeric.enabled=false
> > > security.policy.password.rule.alphacount.enabled=true
> > > security.policy.password.rule.alphacount.minimum=1
> > > security.policy.password.rule.characterlength.enabled=true
> > > security.policy.password.rule.characterlength.minimum=1
> > > security.policy.password.rule.characterlength.maximum=8
> > > security.policy.password.rule.musthave.enabled=true
> > > security.policy.password.rule.numericalcount.enabled=true
> > > security.policy.password.rule.numericalcount.minimum=1
> > > security.policy.password.rule.reuse.enabled=true
> > > security.policy.password.rule.nowhitespace.enabled=true
> > >
> > >
> > > Maybe that's not enough? In looking a the archiva-redback-core on
> > GitHub, I
> > > see *two additional settings* under Security Policies:
> > >
> > > # turn off the perclick enforcement of various security policies,
> > slightly
> > > # more heavyweight since it will ensure that the User object on each
> > click
> > > # is up to date
> > > security.policy.strict.enforcement.enabled=true
> > > security.policy.strict.force.password.change.enabled=true
> > >
> > > So, if I add these properties to my ~/.m2/security.properties file, set
> > > both to false, kill Archiva and restart it, will this disable the
> > password
> > > reset requirement? If not, how can I do so?
> > >
> >
> > That should work otherwise you are facing a bug :-(
> > You can use a file located here as well
> > ${appserver.home}/conf/security.properties
> >
>
> There seems to be a bug. I set security.policy.strict.enforcement.enabled
> and security.policy.strict.force.password.change.enabled to false in
> *both* locations--~/.m2/security.properties
> and ${appserver.home}/conf/security.properties--but have once again been
> told that admin's password has expired.
>
> It's also annoying that I can't reuse one of the last 6 passwords (this is,
> essentially, a private server inside a firewall). I thought
> "security.policy.password.rule.reuse.enabled=true" would allow reuse, but
> it didn't.
>
> Time to change the sticky note...
>
>
> > --
> > Olivier Lamy
> > http://twitter.com/olamy | http://linkedin.com/in/olamy
> >
>
Re: Disable password timeout, reset
Posted by Thad Humphries <th...@gmail.com>.
On Thu, Oct 1, 2015 at 7:47 AM, Olivier Lamy <ol...@apache.org> wrote:
> Hi,
>
> On 1 October 2015 at 02:11, Thad Humphries <th...@gmail.com>
> wrote:
>
> > I set up an Archiva 2.2 server a while back, and thought I'd succeeded in
> > disabling the requirement to renew the password after so many days, not
> > allow reuse of the last X number of passwords, etc. Earlier this week I
> was
> > rudely surprised to find that I had to reset my password. How can I stop
> > this?
> >
> > I am running Archiva on port 8080, starting it with
> >
> > $ cd /opt/apache-archiva-2.2.0
> > $ nohup bin/archiva console start &
> >
> > I created a ~/.m2/security.properties file based on the one at
> >
> http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html.
> > Mine is shown below. The two properties in bold I thought would disable
> > password expiration.
> >
> > #
> >
> http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html
> > #
> >
> >
> https://github.com/apache/archiva-redback-core/blob/master/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties
> >
> > # Security Policies
> > #security.policy.password.encoder=
> >
> >
> >
> *security.policy.password.previous.count=-1security.policy.password.expiration.enabled=false*
> > security.policy.password.expiration.days=180
> > security.policy.password.expiration.notify.days=10
> > security.policy.allowed.login.attempt=10
> >
> > # Password Rules
> > security.policy.password.rule.alphanumeric.enabled=false
> > security.policy.password.rule.alphacount.enabled=true
> > security.policy.password.rule.alphacount.minimum=1
> > security.policy.password.rule.characterlength.enabled=true
> > security.policy.password.rule.characterlength.minimum=1
> > security.policy.password.rule.characterlength.maximum=8
> > security.policy.password.rule.musthave.enabled=true
> > security.policy.password.rule.numericalcount.enabled=true
> > security.policy.password.rule.numericalcount.minimum=1
> > security.policy.password.rule.reuse.enabled=true
> > security.policy.password.rule.nowhitespace.enabled=true
> >
> >
> > Maybe that's not enough? In looking a the archiva-redback-core on
> GitHub, I
> > see *two additional settings* under Security Policies:
> >
> > # turn off the perclick enforcement of various security policies,
> slightly
> > # more heavyweight since it will ensure that the User object on each
> click
> > # is up to date
> > security.policy.strict.enforcement.enabled=true
> > security.policy.strict.force.password.change.enabled=true
> >
> > So, if I add these properties to my ~/.m2/security.properties file, set
> > both to false, kill Archiva and restart it, will this disable the
> password
> > reset requirement? If not, how can I do so?
> >
>
> That should work otherwise you are facing a bug :-(
> You can use a file located here as well
> ${appserver.home}/conf/security.properties
>
There seems to be a bug. I set security.policy.strict.enforcement.enabled
and security.policy.strict.force.password.change.enabled to false in
*both* locations--~/.m2/security.properties
and ${appserver.home}/conf/security.properties--but have once again been
told that admin's password has expired.
It's also annoying that I can't reuse one of the last 6 passwords (this is,
essentially, a private server inside a firewall). I thought
"security.policy.password.rule.reuse.enabled=true" would allow reuse, but
it didn't.
Time to change the sticky note...
> --
> Olivier Lamy
> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
Re: Disable password timeout, reset
Posted by Olivier Lamy <ol...@apache.org>.
Hi,
On 1 October 2015 at 02:11, Thad Humphries <th...@gmail.com> wrote:
> I set up an Archiva 2.2 server a while back, and thought I'd succeeded in
> disabling the requirement to renew the password after so many days, not
> allow reuse of the last X number of passwords, etc. Earlier this week I was
> rudely surprised to find that I had to reset my password. How can I stop
> this?
>
> I am running Archiva on port 8080, starting it with
>
> $ cd /opt/apache-archiva-2.2.0
> $ nohup bin/archiva console start &
>
> I created a ~/.m2/security.properties file based on the one at
> http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html.
> Mine is shown below. The two properties in bold I thought would disable
> password expiration.
>
> #
> http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html
> #
>
> https://github.com/apache/archiva-redback-core/blob/master/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties
>
> # Security Policies
> #security.policy.password.encoder=
>
>
> *security.policy.password.previous.count=-1security.policy.password.expiration.enabled=false*
> security.policy.password.expiration.days=180
> security.policy.password.expiration.notify.days=10
> security.policy.allowed.login.attempt=10
>
> # Password Rules
> security.policy.password.rule.alphanumeric.enabled=false
> security.policy.password.rule.alphacount.enabled=true
> security.policy.password.rule.alphacount.minimum=1
> security.policy.password.rule.characterlength.enabled=true
> security.policy.password.rule.characterlength.minimum=1
> security.policy.password.rule.characterlength.maximum=8
> security.policy.password.rule.musthave.enabled=true
> security.policy.password.rule.numericalcount.enabled=true
> security.policy.password.rule.numericalcount.minimum=1
> security.policy.password.rule.reuse.enabled=true
> security.policy.password.rule.nowhitespace.enabled=true
>
>
> Maybe that's not enough? In looking a the archiva-redback-core on GitHub, I
> see *two additional settings* under Security Policies:
>
> # turn off the perclick enforcement of various security policies, slightly
> # more heavyweight since it will ensure that the User object on each click
> # is up to date
> security.policy.strict.enforcement.enabled=true
> security.policy.strict.force.password.change.enabled=true
>
> So, if I add these properties to my ~/.m2/security.properties file, set
> both to false, kill Archiva and restart it, will this disable the password
> reset requirement? If not, how can I do so?
>
That should work otherwise you are facing a bug :-(
You can use a file located here as well
${appserver.home}/conf/security.properties
>
> --
> "Hell hath no limits, nor is circumscrib'd In one self-place; but where we
> are is hell, And where hell is, there must we ever be" --Christopher
> Marlowe, *Doctor Faustus* (v. 121-24)
>
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy