[Freeipa-devel] [PATCH 0559] Increase default length of auto-generated passwords

Alexander Bokovoy abokovoy at redhat.com
Fri Jul 29 15:09:57 UTC 2016 

On Fri, 29 Jul 2016, Martin Basti wrote:
>https://fedorahosted.org/freeipa/ticket/6116
>
>
>Patch attached
>

>From ca5305e032137b7c9197d0c1050191079a72124e Mon Sep 17 00:00:00 2001
>From: Martin Basti <mbasti at redhat.com>
>Date: Fri, 22 Jul 2016 16:41:29 +0200
>Subject: [PATCH] Increase default length of auto generated passwords
>
>Installer/IPA generates passwords for warious purpose:
>* KRA
>* kerberos master key
>* NSSDB password
>* temporary passwords during installation
>
>Length of passwords should be increased to 22, ~128bits of entropy, to
>be safe nowadays.
>
>https://fedorahosted.org/freeipa/ticket/6116
ACK with a minor comment.

>---
> ipapython/ipautil.py           | 2 +-
> ipaserver/plugins/baseuser.py  | 3 ++-
> ipaserver/plugins/host.py      | 3 ++-
> ipaserver/plugins/stageuser.py | 3 ++-
> ipaserver/plugins/user.py      | 3 ++-
> 5 files changed, 9 insertions(+), 5 deletions(-)
>
>diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
>index 9964fba4f694b57242b3bd3065a418917d977533..ca7e81d666cd6c345bdbbf4660c3451ac1f2c045 100644
>--- a/ipapython/ipautil.py
>+++ b/ipapython/ipautil.py
>@@ -57,7 +57,7 @@ from ipapython.dn import DN
> SHARE_DIR = paths.USR_SHARE_IPA_DIR
> PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
> 
>-GEN_PWD_LEN = 12
>+GEN_PWD_LEN = 22
It would be good to add a temporary password constant too
+GEN_TMP_PWD_LEN = 12

and then use it instead of pwd_len=12 below.

> # Having this in krb_utils would cause circular import
> KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm
>diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
>index e4288a5a131157815ffb2452692a7edb342f6ac3..5e0752c8d3d246fa7c283f05b82ef01de2e5bf34 100644
>--- a/ipaserver/plugins/baseuser.py
>+++ b/ipaserver/plugins/baseuser.py
>@@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
> 
>     def check_userpassword(self, entry_attrs, **options):
>         if 'userpassword' not in entry_attrs and options.get('random'):
>-            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
>+            entry_attrs['userpassword'] = ipa_generate_password(
>+                baseuser_pwdchars, pwd_len=12)
>             # save the password so it can be displayed in post_callback
>             setattr(context, 'randompassword', entry_attrs['userpassword'])
> 
>diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
>index 413dcf15e0423170d8334902b9dcf8fb5aa14de6..1cefb6224e1a6dad0080369edee35c4524e5bd39 100644
>--- a/ipaserver/plugins/host.py
>+++ b/ipaserver/plugins/host.py
>@@ -683,7 +683,8 @@ class host_add(LDAPCreate):
>             if 'krbprincipal' in entry_attrs['objectclass']:
>                 entry_attrs['objectclass'].remove('krbprincipal')
>         if options.get('random'):
>-            entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
>+            entry_attrs['userpassword'] = ipa_generate_password(
>+                characters=host_pwd_chars, pwd_len=12)
>             # save the password so it can be displayed in post_callback
>             setattr(context, 'randompassword', entry_attrs['userpassword'])
>         certs = options.get('usercertificate', [])
>diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
>index 3b9388f6020b9a6c40caedd36f3640a05a13da65..6df189c3913171b4990ce115b296b19c7447592d 100644
>--- a/ipaserver/plugins/stageuser.py
>+++ b/ipaserver/plugins/stageuser.py
>@@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
> 
>         # If requested, generate a userpassword
>         if 'userpassword' not in entry_attrs and options.get('random'):
>-            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
>+            entry_attrs['userpassword'] = ipa_generate_password(
>+                baseuser_pwdchars, pwd_len=12)
>             # save the password so it can be displayed in post_callback
>             setattr(context, 'randompassword', entry_attrs['userpassword'])
> 
>diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
>index b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..62ec529062c7ac39661df2a8c3d2277711268b11 100644
>--- a/ipaserver/plugins/user.py
>+++ b/ipaserver/plugins/user.py
>@@ -517,7 +517,8 @@ class user_add(baseuser_add):
>                 entry_attrs['gidnumber'] = group_attrs['gidnumber']
> 
>         if 'userpassword' not in entry_attrs and options.get('random'):
>-            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
>+            entry_attrs['userpassword'] = ipa_generate_password(
>+                baseuser_pwdchars, pwd_len=12)
>             # save the password so it can be displayed in post_callback
>             setattr(context, 'randompassword', entry_attrs['userpassword'])
> 
>-- 
>2.5.5
>

>-- 
>Manage your subscription for the Freeipa-devel mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-devel
>Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list