From e5a3a2f1cdfe55c16ce7b40ef51243a41ef276a4 Mon Sep 17 00:00:00 2001 From: Russell Bryant Date: Tue, 13 Jul 2010 11:41:54 +0000 Subject: [PATCH] Add example script for use with the externpasscheck voicemail.conf option. (closes issue #17628) Reported by: lmadsen Tested by: russell, lmadsen Review: https://reviewboard.asterisk.org/r/774/ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@275863 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- configs/voicemail.conf.sample | 24 ++++++++--- contrib/scripts/voicemailpwcheck.py | 65 +++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 5 deletions(-) create mode 100755 contrib/scripts/voicemailpwcheck.py diff --git a/configs/voicemail.conf.sample b/configs/voicemail.conf.sample index 7c44773b53..71f863e020 100644 --- a/configs/voicemail.conf.sample +++ b/configs/voicemail.conf.sample @@ -84,11 +84,25 @@ maxlogins=3 ;externpass=/usr/bin/myapp ;externpassnotify=/usr/bin/myapp -; If you need to have an external program, i.e. /usr/bin/myapp -; called when a user changes her voicemail password, uncomment this: -;externpasscheck=/usr/bin/myapp -; Arguments for this script are: -; mailbox context oldpass newpass +; If you would like to have an external program called when a user changes the +; voicemail password for the purpose of doing validation on the new password, +; then use this option. The script can decide whether or not the new password +; meets minimum password strength requirements before the Voicemail application +; accepts the password. If the script decides that the password is not acceptable, +; the user will be informed that the new password does not meet minimum password +; requirements, and they will be asked to enter another password. +; +; The arguments passed to this script are . +; +; The script should print "VALID" to stdout to indicate that the new password +; is acceptable. If the password is considered too weak, the script should print +; "INVALID" to stdout. +; +; There is an example script in the contrib/scripts/ directory, voicemailpwcheck.py, +; which implements some basic password checking, and can be used as a starting point +; for use with this option. +; +;externpasscheck=/usr/local/bin/voicemailpwcheck.py ; For the directory, you can override the intro file if you want ;directoryintro=dir-intro diff --git a/contrib/scripts/voicemailpwcheck.py b/contrib/scripts/voicemailpwcheck.py new file mode 100755 index 0000000000..d7a66d4b97 --- /dev/null +++ b/contrib/scripts/voicemailpwcheck.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python +''' Sample externpasscheck script for use with voicemail.conf + +Copyright (C) 2010, Digium, Inc. +Russell Bryant + +The externpasscheck option in voicemail.conf allows an external script to +validate passwords when a user is changing it. The script can enforce password +strength rules. This script is an example of doing so and implements a check +on password length, a password with too many identical consecutive numbers, or +a password made up of sequential digits. +''' + +import sys +import re + + +# Set this to the required minimum length for a password +REQUIRED_LENGTH = 6 + + +# Regular expressions that match against invalid passwords +REGEX_BLACKLIST = [ + ("(?P\d)(?P=digit){%d}" % (REQUIRED_LENGTH - 1), + "%d consective numbers that are the same" % REQUIRED_LENGTH) +] + + +# Exact passwords that are forbidden. If the string of digits specified here +# is found in any part of the password specified, it is considered invalid. +PW_BLACKLIST = [ + "123456", + "234567", + "345678", + "456789", + "567890", + "098765", + "987654", + "876543", + "765432", + "654321" +] + + +mailbox, context, old_pw, new_pw = sys.argv[1:5] + +# Enforce a password length of at least 6 characters +if len(new_pw) < REQUIRED_LENGTH: + print "INVALID: Password is too short (%d) - must be at least %d" % \ + (len(new_pw), REQUIRED_LENGTH) + sys.exit(0) + +for regex, error in REGEX_BLACKLIST: + if re.search(regex, new_pw): + print "INVALID: %s" % error + sys.exit(0) + +for pw in PW_BLACKLIST: + if new_pw.find(pw) != -1: + print "INVALID: %s is forbidden in a password" % pw + sys.exit(0) + +print "VALID" + +sys.exit(0)