|
 |
403b09 |
From 0d2e4dae80eb4140ea605ca88d9130b8bf3ec269 Mon Sep 17 00:00:00 2001
|
|
|
403b09 |
From: Martin Basti <mbasti@redhat.com>
|
|
|
403b09 |
Date: Fri, 22 Jul 2016 16:41:29 +0200
|
|
|
403b09 |
Subject: [PATCH] Increase default length of auto generated passwords
|
|
|
403b09 |
|
|
|
403b09 |
Installer/IPA generates passwords for warious purpose:
|
|
|
403b09 |
* KRA
|
|
|
403b09 |
* kerberos master key
|
|
|
403b09 |
* NSSDB password
|
|
|
403b09 |
* temporary passwords during installation
|
|
|
403b09 |
|
|
|
403b09 |
Length of passwords should be increased to 22, ~128bits of entropy, to
|
|
|
403b09 |
be safe nowadays.
|
|
|
403b09 |
|
|
|
403b09 |
https://fedorahosted.org/freeipa/ticket/6116
|
|
|
403b09 |
|
|
|
403b09 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
403b09 |
---
|
|
|
403b09 |
ipapython/ipautil.py | 3 ++-
|
|
|
403b09 |
ipaserver/plugins/baseuser.py | 5 +++--
|
|
|
403b09 |
ipaserver/plugins/host.py | 9 +++++++--
|
|
|
403b09 |
ipaserver/plugins/stageuser.py | 5 +++--
|
|
|
403b09 |
ipaserver/plugins/user.py | 5 +++--
|
|
|
403b09 |
5 files changed, 18 insertions(+), 9 deletions(-)
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
|
|
|
403b09 |
index 9964fba4f694b57242b3bd3065a418917d977533..fdfebb65ecb8b62108852f6517b5ffb22fd7eedc 100644
|
|
|
403b09 |
--- a/ipapython/ipautil.py
|
|
|
403b09 |
+++ b/ipapython/ipautil.py
|
|
|
403b09 |
@@ -57,7 +57,8 @@ from ipapython.dn import DN
|
|
|
403b09 |
SHARE_DIR = paths.USR_SHARE_IPA_DIR
|
|
|
403b09 |
PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
|
|
|
403b09 |
|
|
|
403b09 |
-GEN_PWD_LEN = 12
|
|
|
403b09 |
+GEN_PWD_LEN = 22
|
|
|
403b09 |
+GEN_TMP_PWD_LEN = 12 # only for OTP password that is manually retyped by user
|
|
|
403b09 |
|
|
|
403b09 |
# Having this in krb_utils would cause circular import
|
|
|
403b09 |
KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm
|
|
|
403b09 |
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
|
|
403b09 |
index e4288a5a131157815ffb2452692a7edb342f6ac3..5e36a6620295351d4745bfc035f24349f8fb8295 100644
|
|
|
403b09 |
--- a/ipaserver/plugins/baseuser.py
|
|
|
403b09 |
+++ b/ipaserver/plugins/baseuser.py
|
|
|
403b09 |
@@ -34,7 +34,7 @@ from ipaserver.plugins.service import (
|
|
|
403b09 |
from ipalib.request import context
|
|
|
403b09 |
from ipalib import _
|
|
|
403b09 |
from ipapython import kerberos
|
|
|
403b09 |
-from ipapython.ipautil import ipa_generate_password
|
|
|
403b09 |
+from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
|
|
|
403b09 |
from ipapython.ipavalidate import Email
|
|
|
403b09 |
from ipalib.util import (
|
|
|
403b09 |
normalize_sshpubkey,
|
|
|
403b09 |
@@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
|
|
|
403b09 |
|
|
|
403b09 |
def check_userpassword(self, entry_attrs, **options):
|
|
|
403b09 |
if 'userpassword' not in entry_attrs and options.get('random'):
|
|
|
403b09 |
- entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
|
|
|
403b09 |
+ entry_attrs['userpassword'] = ipa_generate_password(
|
|
|
403b09 |
+ baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
|
|
|
403b09 |
# save the password so it can be displayed in post_callback
|
|
|
403b09 |
setattr(context, 'randompassword', entry_attrs['userpassword'])
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
|
|
|
403b09 |
index 413dcf15e0423170d8334902b9dcf8fb5aa14de6..03c64c637cbba0aee1b6569f3b5dbe200953bff8 100644
|
|
|
403b09 |
--- a/ipaserver/plugins/host.py
|
|
|
403b09 |
+++ b/ipaserver/plugins/host.py
|
|
|
403b09 |
@@ -59,7 +59,11 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
|
|
|
403b09 |
hostname_validator,
|
|
|
403b09 |
set_krbcanonicalname
|
|
|
403b09 |
)
|
|
|
403b09 |
-from ipapython.ipautil import ipa_generate_password, CheckedIPAddress
|
|
|
403b09 |
+from ipapython.ipautil import (
|
|
|
403b09 |
+ ipa_generate_password,
|
|
|
403b09 |
+ CheckedIPAddress,
|
|
|
403b09 |
+ GEN_TMP_PWD_LEN
|
|
|
403b09 |
+)
|
|
|
403b09 |
from ipapython.dnsutil import DNSName
|
|
|
403b09 |
from ipapython.ssh import SSHPublicKey
|
|
|
403b09 |
from ipapython.dn import DN
|
|
|
403b09 |
@@ -683,7 +687,8 @@ class host_add(LDAPCreate):
|
|
|
403b09 |
if 'krbprincipal' in entry_attrs['objectclass']:
|
|
|
403b09 |
entry_attrs['objectclass'].remove('krbprincipal')
|
|
|
403b09 |
if options.get('random'):
|
|
|
403b09 |
- entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
|
|
|
403b09 |
+ entry_attrs['userpassword'] = ipa_generate_password(
|
|
|
403b09 |
+ characters=host_pwd_chars, pwd_len=GEN_TMP_PWD_LEN)
|
|
|
403b09 |
# save the password so it can be displayed in post_callback
|
|
|
403b09 |
setattr(context, 'randompassword', entry_attrs['userpassword'])
|
|
|
403b09 |
certs = options.get('usercertificate', [])
|
|
|
403b09 |
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
|
|
|
403b09 |
index 3b9388f6020b9a6c40caedd36f3640a05a13da65..a219e3dace6da5e9c036122e9710b2acaaa42ebf 100644
|
|
|
403b09 |
--- a/ipaserver/plugins/stageuser.py
|
|
|
403b09 |
+++ b/ipaserver/plugins/stageuser.py
|
|
|
403b09 |
@@ -47,7 +47,7 @@ from ipalib.util import set_krbcanonicalname
|
|
|
403b09 |
from ipalib import _, ngettext
|
|
|
403b09 |
from ipalib import output
|
|
|
403b09 |
from ipaplatform.paths import paths
|
|
|
403b09 |
-from ipapython.ipautil import ipa_generate_password
|
|
|
403b09 |
+from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
|
|
|
403b09 |
from ipalib.capabilities import client_has_capability
|
|
|
403b09 |
|
|
|
403b09 |
if six.PY3:
|
|
|
403b09 |
@@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
|
|
|
403b09 |
|
|
|
403b09 |
# If requested, generate a userpassword
|
|
|
403b09 |
if 'userpassword' not in entry_attrs and options.get('random'):
|
|
|
403b09 |
- entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
|
|
|
403b09 |
+ entry_attrs['userpassword'] = ipa_generate_password(
|
|
|
403b09 |
+ baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
|
|
|
403b09 |
# save the password so it can be displayed in post_callback
|
|
|
403b09 |
setattr(context, 'randompassword', entry_attrs['userpassword'])
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
|
|
403b09 |
index b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..935ea892cde9e2cb5b21f4714fd93e73c3fa53d5 100644
|
|
|
403b09 |
--- a/ipaserver/plugins/user.py
|
|
|
403b09 |
+++ b/ipaserver/plugins/user.py
|
|
|
403b09 |
@@ -63,7 +63,7 @@ from ipalib import _, ngettext
|
|
|
403b09 |
from ipalib import output
|
|
|
403b09 |
from ipaplatform.paths import paths
|
|
|
403b09 |
from ipapython.dn import DN
|
|
|
403b09 |
-from ipapython.ipautil import ipa_generate_password
|
|
|
403b09 |
+from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
|
|
|
403b09 |
from ipalib.capabilities import client_has_capability
|
|
|
403b09 |
|
|
|
403b09 |
if api.env.in_server:
|
|
|
403b09 |
@@ -517,7 +517,8 @@ class user_add(baseuser_add):
|
|
|
403b09 |
entry_attrs['gidnumber'] = group_attrs['gidnumber']
|
|
|
403b09 |
|
|
|
403b09 |
if 'userpassword' not in entry_attrs and options.get('random'):
|
|
|
403b09 |
- entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
|
|
|
403b09 |
+ entry_attrs['userpassword'] = ipa_generate_password(
|
|
|
403b09 |
+ baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
|
|
|
403b09 |
# save the password so it can be displayed in post_callback
|
|
|
403b09 |
setattr(context, 'randompassword', entry_attrs['userpassword'])
|
|
|
403b09 |
|
|
|
403b09 |
--
|
|
|
403b09 |
2.7.4
|
|
|
403b09 |
|