[Freeipa-devel] [PATCH 0559] Increase default length of auto-generated passwords
Martin Basti
mbasti at redhat.com
Wed Aug 3 13:37:17 UTC 2016
On 29.07.2016 18:19, Alexander Bokovoy wrote:
> On Fri, 29 Jul 2016, Martin Basti wrote:
>>
>>
>> On 29.07.2016 17:09, Alexander Bokovoy wrote:
>> > On Fri, 29 Jul 2016, Martin Basti wrote:
>> > > https://fedorahosted.org/freeipa/ticket/6116
>> > > > > > > Patch attached
>> > > > > > From ca5305e032137b7c9197d0c1050191079a72124e Mon Sep 17
>> 00:00:00 2001
>> > > From: Martin Basti <mbasti at redhat.com>
>> > > Date: Fri, 22 Jul 2016 16:41:29 +0200
>> > > Subject: [PATCH] Increase default length of auto generated passwords
>> > > > > Installer/IPA generates passwords for warious purpose:
>> > > * KRA
>> > > * kerberos master key
>> > > * NSSDB password
>> > > * temporary passwords during installation
>> > > > > Length of passwords should be increased to 22, ~128bits of
>> entropy, to
>> > > be safe nowadays.
>> > > > > https://fedorahosted.org/freeipa/ticket/6116
>> > ACK with a minor comment.
>> > > > ---
>> > > ipapython/ipautil.py | 2 +-
>> > > ipaserver/plugins/baseuser.py | 3 ++-
>> > > ipaserver/plugins/host.py | 3 ++-
>> > > ipaserver/plugins/stageuser.py | 3 ++-
>> > > ipaserver/plugins/user.py | 3 ++-
>> > > 5 files changed, 9 insertions(+), 5 deletions(-)
>> > > > > diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
>> > > index
>> 9964fba4f694b57242b3bd3065a418917d977533..ca7e81d666cd6c345bdbbf4660c3451ac1f2c045
>> > > 100644
>> > > --- a/ipapython/ipautil.py
>> > > +++ b/ipapython/ipautil.py
>> > > @@ -57,7 +57,7 @@ from ipapython.dn import DN
>> > > SHARE_DIR = paths.USR_SHARE_IPA_DIR
>> > > PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
>> > > > > -GEN_PWD_LEN = 12
>> > > +GEN_PWD_LEN = 22
>> > It would be good to add a temporary password constant too
>> > +GEN_TMP_PWD_LEN = 12
>> > > and then use it instead of pwd_len=12 below.
>> > > > # Having this in krb_utils would cause circular import
>> > > KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for
>> requested > > realm
>> > > diff --git a/ipaserver/plugins/baseuser.py > >
>> b/ipaserver/plugins/baseuser.py
>> > > index
>> e4288a5a131157815ffb2452692a7edb342f6ac3..5e0752c8d3d246fa7c283f05b82ef01de2e5bf34
>> > > 100644
>> > > --- a/ipaserver/plugins/baseuser.py
>> > > +++ b/ipaserver/plugins/baseuser.py
>> > > @@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
>> > > > > def check_userpassword(self, entry_attrs, **options):
>> > > if 'userpassword' not in entry_attrs and
>> options.get('random'):
>> > > - entry_attrs['userpassword'] = > >
>> ipa_generate_password(baseuser_pwdchars)
>> > > + entry_attrs['userpassword'] = ipa_generate_password(
>> > > + baseuser_pwdchars, pwd_len=12)
>> > > # save the password so it can be displayed in
>> post_callback
>> > > setattr(context, 'randompassword', > >
>> entry_attrs['userpassword'])
>> > > > > diff --git a/ipaserver/plugins/host.py
>> b/ipaserver/plugins/host.py
>> > > index
>> 413dcf15e0423170d8334902b9dcf8fb5aa14de6..1cefb6224e1a6dad0080369edee35c4524e5bd39
>> > > 100644
>> > > --- a/ipaserver/plugins/host.py
>> > > +++ b/ipaserver/plugins/host.py
>> > > @@ -683,7 +683,8 @@ class host_add(LDAPCreate):
>> > > if 'krbprincipal' in entry_attrs['objectclass']:
>> > > entry_attrs['objectclass'].remove('krbprincipal')
>> > > if options.get('random'):
>> > > - entry_attrs['userpassword'] = > >
>> ipa_generate_password(characters=host_pwd_chars)
>> > > + entry_attrs['userpassword'] = ipa_generate_password(
>> > > + characters=host_pwd_chars, pwd_len=12)
>> > > # save the password so it can be displayed in
>> post_callback
>> > > setattr(context, 'randompassword', > >
>> entry_attrs['userpassword'])
>> > > certs = options.get('usercertificate', [])
>> > > diff --git a/ipaserver/plugins/stageuser.py > >
>> b/ipaserver/plugins/stageuser.py
>> > > index
>> 3b9388f6020b9a6c40caedd36f3640a05a13da65..6df189c3913171b4990ce115b296b19c7447592d
>> > > 100644
>> > > --- a/ipaserver/plugins/stageuser.py
>> > > +++ b/ipaserver/plugins/stageuser.py
>> > > @@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
>> > > > > # If requested, generate a userpassword
>> > > if 'userpassword' not in entry_attrs and
>> options.get('random'):
>> > > - entry_attrs['userpassword'] = > >
>> ipa_generate_password(baseuser_pwdchars)
>> > > + entry_attrs['userpassword'] = ipa_generate_password(
>> > > + baseuser_pwdchars, pwd_len=12)
>> > > # save the password so it can be displayed in
>> post_callback
>> > > setattr(context, 'randompassword', > >
>> entry_attrs['userpassword'])
>> > > > > diff --git a/ipaserver/plugins/user.py
>> b/ipaserver/plugins/user.py
>> > > index
>> b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..62ec529062c7ac39661df2a8c3d2277711268b11
>> > > 100644
>> > > --- a/ipaserver/plugins/user.py
>> > > +++ b/ipaserver/plugins/user.py
>> > > @@ -517,7 +517,8 @@ class user_add(baseuser_add):
>> > > entry_attrs['gidnumber'] = group_attrs['gidnumber']
>> > > > > if 'userpassword' not in entry_attrs and
>> options.get('random'):
>> > > - entry_attrs['userpassword'] = > >
>> ipa_generate_password(baseuser_pwdchars)
>> > > + entry_attrs['userpassword'] = ipa_generate_password(
>> > > + baseuser_pwdchars, pwd_len=12)
>> > > # save the password so it can be displayed in
>> post_callback
>> > > setattr(context, 'randompassword', > >
>> entry_attrs['userpassword'])
>> > > > > -- > > 2.5.5
>> > > > > > -- > > Manage your subscription for the Freeipa-devel
>> mailing list:
>> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
>> > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>> > > Thanks
>> Updated patch attached
> Thanks, ACK.
>
Pushed to master: 51ccde25f7ec0d5309c52b5349992652c7e17a01
More information about the Freeipa-devel
mailing list