Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check password in history of old passwords #126

Open
coudot opened this issue Jun 28, 2024 · 7 comments · May be fixed by #162
Open

Check password in history of old passwords #126

coudot opened this issue Jun 28, 2024 · 7 comments · May be fixed by #162
Assignees
@abpai94
Labels
enhancement New feature or request sponsor Developpement sponsorized by customers
Milestone
0.6

Comments

@coudot
Copy link
Member

coudot commented Jun 28, 2024

Currently, we check the password on the current value (by doing an LDAP BIND)

We would like to be able to browse password history and check the password on this history.

Use case : the password of the user has changed but the user forgot it and use an old password. We can verify that this old password is really a previous password of the user.

It would be possible only with a standard LDAP directory that is compatible with password policy (pwdHistory)
@coudot coudot added enhancement New feature or request sponsor Developpement sponsorized by customers labels Jun 28, 2024
@coudot coudot added this to the 0.6 milestone Jun 28, 2024
@coudot
Copy link
Member Author

coudot commented Jul 2, 2024

Prerequisite : #118

@abpai94 abpai94 assigned abpai94 and unassigned davidcoutadeur Aug 6, 2024
@abpai94
Copy link
Collaborator

abpai94 commented Aug 7, 2024

Checking if the user is anonymous or AUTH-USER can be used as a flag to request the users's previous password before making a change. If the user is anonymous the userDN rather than the bindDN is used in order to trigger the following message:

ldap_modify: Constraint violation (19)
additional info: Password is in history of old passwords

Source: link

This attribute is used to specify the maximum number of used passwords that will be stored in the pwdHistory attribute. If the pwdInHistory attribute is not present, or if its value is zero (0), used passwords will not be stored in pwdHistory and thus any previously-used password may be reused. No history checking occurs if the password is being modified by the rootdn, although the password is saved in the history.

abpai94 added a commit to Worteks/service-desk that referenced this issue Aug 8, 2024
@abpai94
ltb-project#126: Attempting password change with userDN which refusin…
38a1b8a 
…g pwd that exist in pwdHistory.
@abpai94 abpai94 linked a pull request Aug 8, 2024 that will close this issue
Open
abpai94 added a commit to Worteks/service-desk that referenced this issue Aug 8, 2024
@abpai94
ltb-project#126: Ensuring old password is required only with anonymou…
b41bd1e 
…s password reset.
abpai94 added a commit to Worteks/service-desk that referenced this issue Aug 13, 2024
@abpai94
ltb-project#126: Incorrect old password throws an warning.
d475019
abpai94 added a commit to Worteks/service-desk that referenced this issue Aug 13, 2024
@abpai94
ltb-project#126: Multiple changes-
c9e5033 
* Stopped using $header_name_audit_admin to check for admin privileges.
* Create a new variable $use_resetpassword_requireauth to require password to change password.
* Wrote documentation for new feature.
* Added warning message to require new password.
@coudot
Copy link
Member Author

coudot commented Aug 21, 2024

This is not what is wanted here.

The big plan is:

  • Update the code only for the check password feature
  • Read the password history attribute (pwdHistory in OpenLDAP)
  • For each value of password history, get the hashed password (with the salt if needed)
  • Do the same hash function (with same salt if needed) on the checked password
  • If both values match, then it means the password is in the password history

@coudot
Copy link
Member Author

coudot commented Aug 22, 2024

We need to use the ltb-common Password module to check the password hashes: https://github.com/ltb-project/ltb-common/blob/main/src/Ltb/Password.php

@davidcoutadeur
Copy link

Hello,

@abpai94 I think this issue was assigned to me at the beginning. Did you have a special reason for working on this?

I have no problem for you to work on this issue, but:

  1. please take care to communicate before auto-assigning (in order for us to share and plan the tasks the best we can)
  2. I had a precise idea of how to deal with this issue, so if you have to work on it, I could at least give you the implementation details.

David

@abpai94
Copy link
Collaborator

abpai94 commented Aug 23, 2024

Hey @davidcoutadeur

Apologies for not informing you before picking it up. I found the topic interesting so I picked it up. In the future I will make sure to mention to the previously assigned person before picking up their ticket.

As you can see in the pull request I went down a very specific rabbit hole which proved to be incorrect. I have spoken to @coudot who provided me more context which I will implement. So any more information you have about implementations would be helpful.

Abhishek

abpai94 added a commit to Worteks/service-desk that referenced this issue Aug 23, 2024
@abpai94
ltb-project#126: Reverted changes.
a7b7d24
@coudot coudot linked a pull request Aug 23, 2024 that will close this issue
#126: Password reset checks pwdHistory #162
Open
abpai94 added a commit to Worteks/service-desk that referenced this issue Aug 26, 2024
@abpai94
ltb-project#126: Checking password history.
0578793
@abpai94 abpai94 mentioned this issue Aug 26, 2024
Closed
@abpai94
Copy link
Collaborator

abpai94 commented Aug 26, 2024

@coudot The issue has been completed. It requires the ltb-project/ltb-common#31 to be merged and the new version incremented for this feature to work.

abpai94 added a commit to Worteks/service-desk that referenced this issue Aug 26, 2024
@abpai94
ltb-project#126: Changed method from get_password_history_values to g…
e377dda 
…et_attributevalue
abpai94 added a commit to Worteks/service-desk that referenced this issue Aug 26, 2024
@abpai94
ltb-project#126: Fixing method call get_attribute_values.
ce04d8f
abpai94 added a commit to Worteks/service-desk that referenced this issue Sep 4, 2024
@abpai94
\ltb-project#126: Password check notifies user about old passwords fr…
12ff899 
…om pwdHistory

- Added a new flag $use_checkpasswordhistory to config.inc.php
- Documented feature for use
abpai94 added a commit to Worteks/service-desk that referenced this issue Sep 4, 2024
@abpai94
\ltb-project#126: Checking password history.
e4a3060
abpai94 added a commit to Worteks/service-desk that referenced this issue Sep 19, 2024
@abpai94
(ltb-project#126) - Check password can check pwdHistory
513d81a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abpai94 abpai94

Labels
enhancement New feature or request sponsor Developpement sponsorized by customers
Projects
None yet
Milestone
0.6
Development

Successfully merging a pull request may close this issue.

#126: Password reset checks pwdHistory Worteks/service-desk
3 participants
@coudot @davidcoutadeur @abpai94