From 0d2e4dae80eb4140ea605ca88d9130b8bf3ec269 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 22 Jul 2016 16:41:29 +0200 Subject: [PATCH] Increase default length of auto generated passwords Installer/IPA generates passwords for warious purpose: * KRA * kerberos master key * NSSDB password * temporary passwords during installation Length of passwords should be increased to 22, ~128bits of entropy, to be safe nowadays. https://fedorahosted.org/freeipa/ticket/6116 Reviewed-By: Alexander Bokovoy --- ipapython/ipautil.py | 3 ++- ipaserver/plugins/baseuser.py | 5 +++-- ipaserver/plugins/host.py | 9 +++++++-- ipaserver/plugins/stageuser.py | 5 +++-- ipaserver/plugins/user.py | 5 +++-- 5 files changed, 18 insertions(+), 9 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 9964fba4f694b57242b3bd3065a418917d977533..fdfebb65ecb8b62108852f6517b5ffb22fd7eedc 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -57,7 +57,8 @@ from ipapython.dn import DN SHARE_DIR = paths.USR_SHARE_IPA_DIR PLUGINS_SHARE_DIR = paths.IPA_PLUGINS -GEN_PWD_LEN = 12 +GEN_PWD_LEN = 22 +GEN_TMP_PWD_LEN = 12 # only for OTP password that is manually retyped by user # Having this in krb_utils would cause circular import KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index e4288a5a131157815ffb2452692a7edb342f6ac3..5e36a6620295351d4745bfc035f24349f8fb8295 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -34,7 +34,7 @@ from ipaserver.plugins.service import ( from ipalib.request import context from ipalib import _ from ipapython import kerberos -from ipapython.ipautil import ipa_generate_password +from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN from ipapython.ipavalidate import Email from ipalib.util import ( normalize_sshpubkey, @@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate): def check_userpassword(self, entry_attrs, **options): if 'userpassword' not in entry_attrs and options.get('random'): - entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars) + entry_attrs['userpassword'] = ipa_generate_password( + baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 413dcf15e0423170d8334902b9dcf8fb5aa14de6..03c64c637cbba0aee1b6569f3b5dbe200953bff8 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -59,7 +59,11 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options, hostname_validator, set_krbcanonicalname ) -from ipapython.ipautil import ipa_generate_password, CheckedIPAddress +from ipapython.ipautil import ( + ipa_generate_password, + CheckedIPAddress, + GEN_TMP_PWD_LEN +) from ipapython.dnsutil import DNSName from ipapython.ssh import SSHPublicKey from ipapython.dn import DN @@ -683,7 +687,8 @@ class host_add(LDAPCreate): if 'krbprincipal' in entry_attrs['objectclass']: entry_attrs['objectclass'].remove('krbprincipal') if options.get('random'): - entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars) + entry_attrs['userpassword'] = ipa_generate_password( + characters=host_pwd_chars, pwd_len=GEN_TMP_PWD_LEN) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) certs = options.get('usercertificate', []) diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py index 3b9388f6020b9a6c40caedd36f3640a05a13da65..a219e3dace6da5e9c036122e9710b2acaaa42ebf 100644 --- a/ipaserver/plugins/stageuser.py +++ b/ipaserver/plugins/stageuser.py @@ -47,7 +47,7 @@ from ipalib.util import set_krbcanonicalname from ipalib import _, ngettext from ipalib import output from ipaplatform.paths import paths -from ipapython.ipautil import ipa_generate_password +from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN from ipalib.capabilities import client_has_capability if six.PY3: @@ -339,7 +339,8 @@ class stageuser_add(baseuser_add): # If requested, generate a userpassword if 'userpassword' not in entry_attrs and options.get('random'): - entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars) + entry_attrs['userpassword'] = ipa_generate_password( + baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..935ea892cde9e2cb5b21f4714fd93e73c3fa53d5 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -63,7 +63,7 @@ from ipalib import _, ngettext from ipalib import output from ipaplatform.paths import paths from ipapython.dn import DN -from ipapython.ipautil import ipa_generate_password +from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN from ipalib.capabilities import client_has_capability if api.env.in_server: @@ -517,7 +517,8 @@ class user_add(baseuser_add): entry_attrs['gidnumber'] = group_attrs['gidnumber'] if 'userpassword' not in entry_attrs and options.get('random'): - entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars) + entry_attrs['userpassword'] = ipa_generate_password( + baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) -- 2.7.4