Discussion:
Disable password timeout, reset
Thad Humphries
2015-09-30 16:11:47 UTC
Permalink
I set up an Archiva 2.2 server a while back, and thought I'd succeeded in
disabling the requirement to renew the password after so many days, not
allow reuse of the last X number of passwords, etc. Earlier this week I was
rudely surprised to find that I had to reset my password. How can I stop
this?

I am running Archiva on port 8080, starting it with

$ cd /opt/apache-archiva-2.2.0
$ nohup bin/archiva console start &

I created a ~/.m2/security.properties file based on the one at
http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html.
Mine is shown below. The two properties in bold I thought would disable
password expiration.

# http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html
#
https://github.com/apache/archiva-redback-core/blob/master/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties

# Security Policies
#security.policy.password.encoder=

*security.policy.password.previous.count=-1security.policy.password.expiration.enabled=false*
security.policy.password.expiration.days=180
security.policy.password.expiration.notify.days=10
security.policy.allowed.login.attempt=10

# Password Rules
security.policy.password.rule.alphanumeric.enabled=false
security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=8
security.policy.password.rule.musthave.enabled=true
security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
security.policy.password.rule.reuse.enabled=true
security.policy.password.rule.nowhitespace.enabled=true


Maybe that's not enough? In looking a the archiva-redback-core on GitHub, I
see *two additional settings* under Security Policies:

# turn off the perclick enforcement of various security policies, slightly
# more heavyweight since it will ensure that the User object on each click
# is up to date
security.policy.strict.enforcement.enabled=true
security.policy.strict.force.password.change.enabled=true

So, if I add these properties to my ~/.m2/security.properties file, set
both to false, kill Archiva and restart it, will this disable the password
reset requirement? If not, how can I do so?

--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
Olivier Lamy
2015-10-01 11:47:43 UTC
Permalink
Hi,
Post by Thad Humphries
I set up an Archiva 2.2 server a while back, and thought I'd succeeded in
disabling the requirement to renew the password after so many days, not
allow reuse of the last X number of passwords, etc. Earlier this week I was
rudely surprised to find that I had to reset my password. How can I stop
this?
I am running Archiva on port 8080, starting it with
$ cd /opt/apache-archiva-2.2.0
$ nohup bin/archiva console start &
I created a ~/.m2/security.properties file based on the one at
http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html.
Mine is shown below. The two properties in bold I thought would disable
password expiration.
#
http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html
#
https://github.com/apache/archiva-redback-core/blob/master/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties
# Security Policies
#security.policy.password.encoder=
*security.policy.password.previous.count=-1security.policy.password.expiration.enabled=false*
security.policy.password.expiration.days=180
security.policy.password.expiration.notify.days=10
security.policy.allowed.login.attempt=10
# Password Rules
security.policy.password.rule.alphanumeric.enabled=false
security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=8
security.policy.password.rule.musthave.enabled=true
security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
security.policy.password.rule.reuse.enabled=true
security.policy.password.rule.nowhitespace.enabled=true
Maybe that's not enough? In looking a the archiva-redback-core on GitHub, I
# turn off the perclick enforcement of various security policies, slightly
# more heavyweight since it will ensure that the User object on each click
# is up to date
security.policy.strict.enforcement.enabled=true
security.policy.strict.force.password.change.enabled=true
So, if I add these properties to my ~/.m2/security.properties file, set
both to false, kill Archiva and restart it, will this disable the password
reset requirement? If not, how can I do so?
That should work otherwise you are facing a bug :-(
You can use a file located here as well
${appserver.home}/conf/security.properties
Post by Thad Humphries
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
Thad Humphries
2016-01-07 14:27:08 UTC
Permalink
Post by Thad Humphries
Hi,
Post by Thad Humphries
I set up an Archiva 2.2 server a while back, and thought I'd succeeded in
disabling the requirement to renew the password after so many days, not
allow reuse of the last X number of passwords, etc. Earlier this week I
was
Post by Thad Humphries
rudely surprised to find that I had to reset my password. How can I stop
this?
I am running Archiva on port 8080, starting it with
$ cd /opt/apache-archiva-2.2.0
$ nohup bin/archiva console start &
I created a ~/.m2/security.properties file based on the one at
http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html.
Post by Thad Humphries
Mine is shown below. The two properties in bold I thought would disable
password expiration.
#
http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html
Post by Thad Humphries
#
https://github.com/apache/archiva-redback-core/blob/master/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties
Post by Thad Humphries
# Security Policies
#security.policy.password.encoder=
*security.policy.password.previous.count=-1security.policy.password.expiration.enabled=false*
Post by Thad Humphries
security.policy.password.expiration.days=180
security.policy.password.expiration.notify.days=10
security.policy.allowed.login.attempt=10
# Password Rules
security.policy.password.rule.alphanumeric.enabled=false
security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=8
security.policy.password.rule.musthave.enabled=true
security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
security.policy.password.rule.reuse.enabled=true
security.policy.password.rule.nowhitespace.enabled=true
Maybe that's not enough? In looking a the archiva-redback-core on
GitHub, I
Post by Thad Humphries
# turn off the perclick enforcement of various security policies,
slightly
Post by Thad Humphries
# more heavyweight since it will ensure that the User object on each
click
Post by Thad Humphries
# is up to date
security.policy.strict.enforcement.enabled=true
security.policy.strict.force.password.change.enabled=true
So, if I add these properties to my ~/.m2/security.properties file, set
both to false, kill Archiva and restart it, will this disable the
password
Post by Thad Humphries
reset requirement? If not, how can I do so?
That should work otherwise you are facing a bug :-(
You can use a file located here as well
${appserver.home}/conf/security.properties
There seems to be a bug. I set security.policy.strict.enforcement.enabled
and security.policy.strict.force.password.change.enabled to false in
*both* locations--~/.m2/security.properties
and ${appserver.home}/conf/security.properties--but have once again been
told that admin's password has expired.

It's also annoying that I can't reuse one of the last 6 passwords (this is,
essentially, a private server inside a firewall). I thought
"security.policy.password.rule.reuse.enabled=true" would allow reuse, but
it didn't.

Time to change the sticky note...
Post by Thad Humphries
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
Oliver Erhart
2016-01-09 21:40:39 UTC
Permalink
You could try to use the Redback Runtime Configuration [1]. With Archiva
2.2.0 this works for me. At least the number of reusing your previous
passwords (security.policy.password.previous.count).

[1]
http://archiva.apache.org/docs/2.2.0/adminguide/redback-runtime-configuration.html#Runtime_properties

--
Oliver Erhart
Post by Thad Humphries
Post by Thad Humphries
Hi,
Post by Thad Humphries
I set up an Archiva 2.2 server a while back, and thought I'd succeeded
in
Post by Thad Humphries
Post by Thad Humphries
disabling the requirement to renew the password after so many days, not
allow reuse of the last X number of passwords, etc. Earlier this week I
was
Post by Thad Humphries
rudely surprised to find that I had to reset my password. How can I
stop
Post by Thad Humphries
Post by Thad Humphries
this?
I am running Archiva on port 8080, starting it with
$ cd /opt/apache-archiva-2.2.0
$ nohup bin/archiva console start &
I created a ~/.m2/security.properties file based on the one at
http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html.
Post by Thad Humphries
Post by Thad Humphries
Mine is shown below. The two properties in bold I thought would disable
password expiration.
#
http://archiva.apache.org/docs/2.2.0/adminguide/customising-security.html
Post by Thad Humphries
Post by Thad Humphries
#
https://github.com/apache/archiva-redback-core/blob/master/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties
Post by Thad Humphries
Post by Thad Humphries
# Security Policies
#security.policy.password.encoder=
*security.policy.password.previous.count=-1security.policy.password.expiration.enabled=false*
Post by Thad Humphries
Post by Thad Humphries
security.policy.password.expiration.days=180
security.policy.password.expiration.notify.days=10
security.policy.allowed.login.attempt=10
# Password Rules
security.policy.password.rule.alphanumeric.enabled=false
security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=8
security.policy.password.rule.musthave.enabled=true
security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
security.policy.password.rule.reuse.enabled=true
security.policy.password.rule.nowhitespace.enabled=true
Maybe that's not enough? In looking a the archiva-redback-core on
GitHub, I
Post by Thad Humphries
# turn off the perclick enforcement of various security policies,
slightly
Post by Thad Humphries
# more heavyweight since it will ensure that the User object on each
click
Post by Thad Humphries
# is up to date
security.policy.strict.enforcement.enabled=true
security.policy.strict.force.password.change.enabled=true
So, if I add these properties to my ~/.m2/security.properties file, set
both to false, kill Archiva and restart it, will this disable the
password
Post by Thad Humphries
reset requirement? If not, how can I do so?
That should work otherwise you are facing a bug :-(
You can use a file located here as well
${appserver.home}/conf/security.properties
There seems to be a bug. I set security.policy.strict.enforcement.enabled
and security.policy.strict.force.password.change.enabled to false in
*both* locations--~/.m2/security.properties
and ${appserver.home}/conf/security.properties--but have once again been
told that admin's password has expired.
It's also annoying that I can't reuse one of the last 6 passwords (this is,
essentially, a private server inside a firewall). I thought
"security.policy.password.rule.reuse.enabled=true" would allow reuse, but
it didn't.
Time to change the sticky note...
Post by Thad Humphries
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
Loading...