Thank you for contributing an issue to the Dataverse Project! If this is a bug report, please let us know when the issue occurs, which page it occurs on, to whom it occurs, and which version of Dataverse you're using. If this is a feature request, please let us know what you'd like to see and give us some context - what kind of user is the feature intended for, and what inspired the request? No matter the issue, screenshots are always welcome.
@@ -38,13 +38,30 @@ Out of the box, Dataverse will list email addresses of the "contacts" for datase
Additional Recommendations
++++++++++++++++++++++++++
Run Glassfish as a User Other Than Root
+++++++++++++++++++++++++++++++++++++++
To further enhance the security of your installation, we recommend taking the following specific actions:
See the Glassfish section of :doc:`prerequisites` for details and init scripts for running Glassfish as non-root.
- Configure Glassfish to run as a user other than root.
- Remove /root/.glassfish/pass password files.
- Store passwords as a hash rather than base64 encoded. Ideally this will be a salted hash, and use a strong hashing algorithm.
- Use a strong administrator password so the hash cannot easily be cracked through dictionary attacks.
Related to this is that you should remove ``/root/.glassfish/pass`` to ensure that Glassfish isn't ever accidentally started as root. Without the password, Glassfish won't be able to start as root, which is a good thing.
Enforce Strong Passwords for User Accounts
++++++++++++++++++++++++++++++++++++++++++
Dataverse only stores passwords (as salted hash, and using a strong hashing algorithm) for "builtin" users. You can increase the password complexity rules to meet your security needs. If you have configured your Dataverse installation to allow login from remote authentication providers such as Shibboleth, ORCID, GitHub or Google, you do not have any control over those remote providers' password complexity rules. See the "Auth Modes: Local vs. Remote vs. Both" section below for more on login options.
Even if you are satisfied with the out-of-the-box password complexity rules Dataverse ships with, for the "dataverseAdmin" account you should use a strong password so the hash cannot easily be cracked through dictionary attacks.
Password complexity rules for "builtin" accounts can be adjusted with a variety of settings documented below. Here's a list:
- :ref:`:PVMinLength`
- :ref:`:PVMaxLength`
- :ref:`:PVNumberOfConsecutiveDigitsAllowed`
- :ref:`:PVCharacterRules`
- :ref:`:PVNumberOfCharacteristics`
- :ref:`:PVDictionaries`
- :ref:`:PVGoodStrength`
- :ref:`:PVCustomPasswordResetAlertMessage`
Solr
----
@@ -996,6 +1013,110 @@ Dataverse calculates checksums for uploaded files so that users can determine if
The default checksum algorithm used is MD5 and should be sufficient for establishing file fixity. "SHA-1" is an experimental alternate value for this setting.
.. _:PVMinLength:
:PVMinLength
++++++++++++
Password policy setting for builtin user accounts: a password's minimum valid character length. The default is 6.
``curl -X PUT -d 6 http://localhost:8080/api/admin/settings/:PVMinLength``
.. _:PVMaxLength:
:PVMaxLength
++++++++++++
Password policy setting for builtin user accounts: a password's maximum valid character length.
``curl -X PUT -d 0 http://localhost:8080/api/admin/settings/:PVMaxLength``
.. _:PVNumberOfConsecutiveDigitsAllowed:
:PVNumberOfConsecutiveDigitsAllowed
+++++++++++++++++++++++++++++++++++
By default, passwords can contain an unlimited number of digits in a row. However, if your password policy specifies otherwise (e.g. only four digits in a row are allowed), then you can issue the following curl command to set the number of consecutive digits allowed (this example uses 4):
``curl -X PUT -d 4 http://localhost:8080/api/admin/settings/:PVNumberOfConsecutiveDigitsAllowed``
.. _:PVCharacterRules:
:PVCharacterRules
+++++++++++++++++
Password policy setting for builtinuser accounts: dictates which types of characters can be required in a password. This setting goes hand-in-hand with :ref:`:PVNumberOfCharacteristics`. The default setting contains two rules:
- one letter
- one digit
The default setting above is equivalent to specifying "Alphabetical:1,Digit:1".
By specifying "UpperCase:1,LowerCase:1,Digit:1,Special:1", for example, you can put the following four rules in place instead:
- one uppercase letter
- one lowercase letter
- one digit
- one special character
If you have implemented 4 different character rules in this way, you can also optionally increase ``:PVNumberOfCharacteristics`` to as high as 4. However, please note that ``:PVNumberOfCharacteristics`` cannot be set to a number higher than the number of character rules or you will see the error, "Number of characteristics must be <= to the number of rules".
Also note that the Alphabetical setting should not be used in tandem with the UpperCase or LowerCase settings. The Alphabetical setting encompasses both of those more specific settings, so using it with them will cause your password policy to be unnecessarily confusing, and potentially easier to bypass.
``curl -X PUT -d 'UpperCase:1,LowerCase:1,Digit:1,Special:1' http://localhost:8080/api/admin/settings/:PVCharacterRules``
``curl -X PUT -d 3 http://localhost:8080/api/admin/settings/:PVNumberOfCharacteristics``
.. _:PVNumberOfCharacteristics:
:PVNumberOfCharacteristics
++++++++++++++++++++++++++
Password policy setting for builtin user accounts: the number indicates how many of the character rules defined by ``:PVCharacterRules`` are required as part of a password. The default is 2. ``:PVNumberOfCharacteristics`` cannot be set to a number higher than the number of rules or you will see the error, "Number of characteristics must be <= to the number of rules".
``curl -X PUT -d 2 http://localhost:8080/api/admin/settings/:PVNumberOfCharacteristics``
.. _:PVDictionaries:
:PVDictionaries
+++++++++++++++
Password policy setting for builtin user accounts: set a comma separated list of dictionaries containing words that cannot be used in a user password. ``/usr/share/dict/words`` is suggested and shown modified below to not contain words 3 letters or less. You are free to choose a different dictionary. By default, no dictionary is checked.
``curl -X PUT -d "$DIR/pwdictionary" http://localhost:8080/api/admin/settings/:PVDictionaries``
.. _:PVGoodStrength:
:PVGoodStrength
+++++++++++++++
Password policy setting for builtin user accounts: passwords of equal or greater character length than the :PVGoodStrength setting are always valid, regardless of other password constraints.
``curl -X PUT -d 20 http://localhost:8080/api/admin/settings/:PVGoodStrength``
Recommended setting: 20.
.. _:PVCustomPasswordResetAlertMessage:
:PVCustomPasswordResetAlertMessage
++++++++++++++++++++++++++++++++++
Changes the default info message displayed when a user is required to change their password on login. The default is:
``{0} Reset Password{1} – Our password requirements have changed. Please pick a strong password that matches the criteria below.``
Where the {0} and {1} denote surrounding HTML **bold** tags. It's recommended to put a single space before your custom message for better appearance (as in the default message above). Including the {0} and {1} to bolden part of your message is optional.
Customize the message using the following curl command's syntax:
``curl -X PUT -d '{0} Action Required:{1} Your current password does not meet all requirements. Please enter a new password meeting the criteria below.' http://localhost:8080/api/admin/settings/:PVCustomPasswordResetAlertMessage``
@@ -9,6 +9,21 @@ curl -s -X PUT -d 'Dataverse is currently being upgraded. You can see the featur
echo"- Harvard Privacy Policy"
curl -s -X PUT -d http://best-practices.dataverse.org/harvard-policies/harvard-privacy-policy.html $SERVER/admin/settings/:ApplicationPrivacyPolicyUrl
curl -s -X PUT -d http://best-practices.dataverse.org/harvard-policies/harvard-api-tou.html $SERVER/admin/settings/:ApiTermsOfUse
echo"- Configuring Harvard's password policy in Dataverse"
# Min length is 10 because that is the minimum Harvard requires without periodic expiration
curl -s -X PUT -d 10 $SERVER/admin/settings/:PVMinLength
# If password 20+ characters, other rules do not apply
curl -s -X PUT -d 20 $SERVER/admin/settings/:PVGoodStrength
# The character classes users can choose between and the number of each needed
curl -X PUT -d 'UpperCase:1,Digit:1,LowerCase:1,Special:1'$SERVER/admin/settings/:PVCharacterRules
# The number of character classes a password needs to be valid
curl -s -X PUT -d 3 $SERVER/admin/settings/:PVNumberOfCharacteristics
# The number of character classes a password needs to be valid
curl -s -X PUT -d 4 $SERVER/admin/settings/:PVNumberOfConsecutiveDigitsAllowed
# Harvard requires a dictionary check on common words & names. We use the unix 'words' file, removing ones less than 4 characters. Policy clarification received by Harvard Key was no words 4 characters or longer.
DIR="/usr/local/glassfish4/glassfish/domains/domain1/files"#this can be replaced with a different file path for storing the dictionary
sed '/^.\{,3\}$/d' /usr/share/dict/words >$DIR/pwdictionary
curl -s -X PUT -d "$DIR/pwdictionary"$SERVER/admin/settings/:PVDictionaries
echo"- Adjust Solr frag size"
curl -s -X PUT -d 320 $SERVER/admin/settings/:SearchHighlightFragmentSize
0 comments on commit
55a20cd