[pve-devel] [PATCH installer 3/3] auto-installer: raise minimum root password length to 8 characters

Stefan Hanreich s.hanreich at proxmox.com
Mon Oct 7 11:49:02 CEST 2024 


On 10/7/24 11:22, Christoph Heiss wrote:
> .. in accordance with current NIST recommendations [0].
> 
> It's 2024; so reasonable to expect an 8-character-password at the
> minimum.
> 
> [0] https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver
> 
> Signed-off-by: Christoph Heiss <c.heiss at proxmox.com>
> ---
>  proxmox-auto-installer/src/utils.rs                          | 5 +++++
>  .../tests/resources/parse_answer/disk_match.json             | 2 +-
>  .../tests/resources/parse_answer/disk_match.toml             | 2 +-
>  .../tests/resources/parse_answer/disk_match_all.json         | 2 +-
>  .../tests/resources/parse_answer/disk_match_all.toml         | 2 +-
>  .../tests/resources/parse_answer/disk_match_any.json         | 2 +-
>  .../tests/resources/parse_answer/disk_match_any.toml         | 2 +-
>  .../tests/resources/parse_answer/minimal.json                | 2 +-
>  .../tests/resources/parse_answer/minimal.toml                | 2 +-
>  .../tests/resources/parse_answer/nic_matching.json           | 2 +-
>  .../tests/resources/parse_answer/nic_matching.toml           | 2 +-
>  .../tests/resources/parse_answer/specific_nic.json           | 2 +-
>  .../tests/resources/parse_answer/specific_nic.toml           | 2 +-
>  proxmox-auto-installer/tests/resources/parse_answer/zfs.json | 2 +-
>  proxmox-auto-installer/tests/resources/parse_answer/zfs.toml | 2 +-
>  15 files changed, 19 insertions(+), 14 deletions(-)
> 
> diff --git a/proxmox-auto-installer/src/utils.rs b/proxmox-auto-installer/src/utils.rs
> index 45ad222..e0dd2ae 100644
> --- a/proxmox-auto-installer/src/utils.rs
> +++ b/proxmox-auto-installer/src/utils.rs
> @@ -13,6 +13,7 @@ use proxmox_installer_common::{
>      setup::{
>          InstallConfig, InstallRootPassword, InstallZfsOption, LocaleInfo, RuntimeInfo, SetupInfo,
>      },
> +    ROOT_PASSWORD_MIN_LENGTH,
>  };
>  use serde::{Deserialize, Serialize};
>  
> @@ -309,6 +310,10 @@ fn verify_root_password_settings(answer: &Answer) -> Result<()> {
>      } else if answer.global.root_password.is_none() && answer.global.root_password_hashed.is_none()
>      {
>          bail!("One of `global.root_password` or `global.root_password_hashed` must be set");
> +    } else if answer.global.root_password.is_some()
> +        && answer.global.root_password.as_ref().map(|s| s.len()) < Some(ROOT_PASSWORD_MIN_LENGTH)
> +    {
> +        bail!("`global.root_password` must be at least {ROOT_PASSWORD_MIN_LENGTH} characters long");
>      } else {
>          Ok(())
>      }

maybe match is better at this point?

Something like

match (answer.global.root_password, answer.global.root_password_hashed) {
  [..]
  (Some(password), _) if password.len() < ROOT_PASSWORD_MIN_LENGTH,
  [..]
}

More information about the pve-devel mailing list