Topic: Password strength on SME8

[joshAU]

Hello, I'm running sme8. Three quick questions...

1. I need to use 6 character passwords (yes, big security risk, I know)
I'm familiar with config setprop passwordstrength .... none, etc.... but it appears the minimum I can set, even when passwordstrength = none, is seven characters.  Is there anyway to change this?

2. Where's the forum for sme8?, I would have posted this there but i couldn't find it.

3. Yes watch case sensitivity when you run "config setprop passwordstrength Users none"...... I didn't notice the case, and now, if I run "db configuration show passwordstrength" it returns the usual Users = none, but also a users = none..... Is the an easy way to remove this?

Any ideas or advice appreciated,
joshAU

[william_syd]

Hello, I'm running sme8. Three quick questions...

-- snip --

3. Yes watch case sensitivity when you run "config setprop passwordstrength Users none"...... I didn't notice the case, and now, if I run "db configuration show passwordstrength" it returns the usual Users = none, but also a users = none..... Is the an easy way to remove this?

Any ideas or advice appreciated,
joshAU

db by itself should give you some hints (unless it's broken in SME8)

[raem]

joshAU

1. I need to use 6 character passwords (yes, big security risk, I know)

Not just a security risk, but it may interfere with the PAM module & future upgrades
From http://wiki.contribs.org/SME_Server:Documentation:FAQ#Password_Strength_Checking
"PAM module requires passwords to be at least 6 characters long, so setting a password that is shorter than that may cause other problems later. SME server default settings enforce 7 character passwords."

Search the forums for a proposed workaround, but you are STRONGLY advised NOT to implement that workaround.
It's really time to re-educate your users and FORCE them to change to longer passwords, sme is never going to change password character length to anything shorter than 7.

If you make the workaround changes, you may have upgrade problems later.

2. Where's the forum for sme8?

There is no forum as sme8 has not been officially released yet, it is still a beta release software.
The only place to report issues is in the bugtracker in the sme8 category.

3. config setprop passwordstrength users none

Time to learn the syntax, it has been said enough times in this forum and here
http://wiki.contribs.org/DB_Variables_Configuration

At command prompt do
db
after looking at the syntax possibilities, you would deduce
config delprop passwordstrength users

(and be very careful with the case)

[joshAU]

Thanks for your replies.

william_syd ....somewhat cryptic answer...

RayMitchell, 1. yes I had read about that.... although I don't know what the PAM module is...
Don't worry, I'll look it up... In regards to the workaround, if its "config setprop passwordstrength Users none" -this still requires 7 character passwords on sme8. All workarounds suggested in this forum seem to refer to this workaround, which is not what im after. Perhaps I missed the post.

2. oh ok, i forgot its still beta, lukily this isn't a vital server...
3. Yes, it probably is time to learn syntax...I just wish there was 36 hours in a day.
Thanks ray, that's just what I needed. Much appreciated

joshAU

[shawnbishop]

Hi

How do I download version 8, i want to try it??

[grattman]

How do I download version 8, i want to try it??

Shawn,

You can download it here: http://smemirror.fullnet.co.uk/releases/testing/8.0/iso/i386/

Also keep in mind, there is also a wealth of information here: http://www.contribs.org such as the link to download SME 8.

Cheers,
grattman

[raem]

joshAU

The workaround I referred to was how to reduce the password length by tweaking code, not the db command you mention. If you had searched the forums on passwordstrength you would find this
http://forums.contribs.org/index.php?topic=38601.0
and this
http://forums.contribs.org/index.php?topic=38078.0
but make sure you also read this
http://forums.contribs.org/index.php?topic=38190.0
and this
http://bugs.contribs.org/show_bug.cgi?id=3039

It's not really advisable to do so though, the ultimate conclusion was that base code needs to be altered, and that code will get overwritten with each upgrade, apart from any other issues with pam authentication, should you be using that. Apart from those issues which are indentifiable now, who knows what other dependencies/issues future releases of sme server may have on password length and the resultant unintentional effect on non standard systems.
When you go non standard, then the risk is yours and at some stage you will have problems for sure.

Why waste time with those hassles, when you should just force your users to change bad habits. Tell them it's because the server has more stringent security requirements, which is ultimately in their best interest due to the increase in hacking & attempts to gain root access by devious means eg via user login etc etc.

[shawnbishop]

Thnaks Grattman

I use the SME 7.2 / 7.3 extensively, I love it...such an excellent replacement for MS SBS.

Cheers for the info

[cactus]

You can download it here: http://smemirror.fullnet.co.uk/releases/testing/8.0/iso/i386/

Please do not post direct links to the mirrors but use http://mirror.contribs.org/releases/testing/8.0/iso/i386/ as this will automatically route you to an available mirror even when this one might perhaps stops it services.

[joshAU]

Hi RayMitchell.
Thanks for the workaround.
Your right though, I don't think I'll use it, too many potential issues may arise in the future.
I'll just have to change me to fit the computer.
I thought I only had to do that with Microsoft and Norton products:)

Regarding searching the forums, I did search and majority of what I found only seemed to refer to the "config setprop passwordstrength Users none" option.  I am familiar with using a search engine, being an IT technician for most of the last decade. I didn't see those relevent posts in the sea of advice re config. I do try to avoid posting a question until I have searched the forums, as I know there's so many questions coming in all the time.

One query.....Is the seach engine a bit flaky occasionally?...Or is it my user-lameness?
For example:

I enter the term "passwordstrength" (without quotes) into the search engine at the top of any forums.contribs.org page and press search.  It returns no results. I say BS and go back and try again, and a third try to be sure, but No results found. BUT, if I hit the revise search on the next page, up comes 26 results.....ODD. I have confirmed this just now as i write this. This occurs to me on two computers in different physical locations, my work pc and my laptop at home. HOWEVER, it doesn't do it all the time, and when it does work, it will continue to work when i retest it.

Is this a case of user lameness or some other issue. Its a bit disconcerting when you search for something you know exists on the forum, but the search returns no results.

Let me add that this does not occur every time i search the forums, but I have suspected it occassionally in the past and reproduced it repeatedly in the last two days.

I dont think its an issue with my pcs or browsers, as they run slightly different os's (2000, XP), ones IE6 the others IE7, on uses a sme squid proxy, ones on a very standard adsl modem.

This query should probably placed as a seperate question, but id like to rule out any user faults first:)

Thanks again Ray

[william_syd]

if I hit the revise search on the next page, up comes 26 results.

That's how it works for me.

[joshAU]

Yes Thats how it works for me.
But I should not have to click revise search to see the results.

eg. say i search google.
google does not return no results to my search.
I do not have to click revise on the next page...to see the results for google.

I'm still confused.

Josh

[raem]

joshAU

But I should not have to click revise search to see the results.

If you want it fixed then lodge an accurate bug report at bugzilla (category = website) with enough detail so that someone else can hopefully reproduce the problem.

[pfloor]

joshAU

If you want it fixed then lodge an accurate bug report at bugzilla (category = website) with enough detail so that someone else can hopefully reproduce the problem.

I can reproduce the problem but not on just contribs.org.  Other sites using SMF exhibit this problem so this is a bug with SMF and a bug report should be lodged at http://www.simplemachines.org/

[pfloor]

I can reproduce the problem but not on just contribs.org.  Other sites using SMF exhibit this problem so this is a bug with SMF and a bug report should be lodged at http://www.simplemachines.org/

Let me revise that...

It isn't a "bug", it is a weird quirk in SMF.  If you do a search using the search box at the top of the page, it only searches the board that you are in.  Kinda stupid if you ask me