[SECURITY] Unify all 3 password change systems and strengthen with PAM

Currently there are fifty bazillion password change modules in Usermin, Webmin and Virtualmin and everything inbetween.

They all differ in validation options (length, complexity), etc.

They all SUCK. Extremely badly. Take it from me, I know enough about how these modules work to have jailed them and created a system where they can't do any damage. But I won't get into that.

Anyway here's the idea: * Roll them all into a single codebase, a single authentication/password-writing module, configured in ONE place, where admins can set up PAM chains for strength checking with things like pam_cracklib, and show the user the output of cracklib if it failed. Don't accept weak passwords.

You don't have to spend a single second coding password strength verification systems. Just leverage PAM modules. Let users configure the PAM options, run the password through it, and display the resulting warnings. Only write passwords to /etc/shadow (or the webmin user-store) if the password passed PAM validation.

This updated module would be responsible for hashing the accepted passwords too. Writing passwords to disk using SHA512 hashes by default.

Status: 
Active

Comments

In webmin / virtualmin, there should already be one place where password strength settings are done and validated - the Users and Groups module. However, as you pointed out it doesn't use PAM - primarily because many operating systems don't support PAM. Also, the existing perl PAM libraries don't seem to support password validation without actually performing a password change..

Hence I was forced to implement my own validation code in Webmin. Note that this supports shelling out to an external program to validate passwords, which you could write to enforce any kinds of restrictions that you want..

I noticed this too! Different modules (user, virtual, webmin + diff modules within) use different strength check configured in different places. This is a problem indeed.

Try to put it all in 1 place?? and remove per-module settings, it's annoying to conffigure...