Increase default length of auto generated passwords

Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation

Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.

https://fedorahosted.org/freeipa/ticket/6116

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Martin Basti 2016-07-22 16:41:29 +02:00
parent 4e574cde72
commit 51ccde25f7
5 changed files with 18 additions and 9 deletions

View File

@ -57,7 +57,8 @@ from ipapython.dn import DN
SHARE_DIR = paths.USR_SHARE_IPA_DIR
PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
GEN_PWD_LEN = 12
GEN_PWD_LEN = 22
GEN_TMP_PWD_LEN = 12 # only for OTP password that is manually retyped by user
# Having this in krb_utils would cause circular import
KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm

View File

@ -34,7 +34,7 @@ from ipaserver.plugins.service import (
from ipalib.request import context
from ipalib import _
from ipapython import kerberos
from ipapython.ipautil import ipa_generate_password
from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
from ipapython.ipavalidate import Email
from ipalib.util import (
normalize_sshpubkey,
@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
def check_userpassword(self, entry_attrs, **options):
if 'userpassword' not in entry_attrs and options.get('random'):
entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
entry_attrs['userpassword'] = ipa_generate_password(
baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])

View File

@ -59,7 +59,11 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
hostname_validator,
set_krbcanonicalname
)
from ipapython.ipautil import ipa_generate_password, CheckedIPAddress
from ipapython.ipautil import (
ipa_generate_password,
CheckedIPAddress,
GEN_TMP_PWD_LEN
)
from ipapython.dnsutil import DNSName
from ipapython.ssh import SSHPublicKey
from ipapython.dn import DN
@ -683,7 +687,8 @@ class host_add(LDAPCreate):
if 'krbprincipal' in entry_attrs['objectclass']:
entry_attrs['objectclass'].remove('krbprincipal')
if options.get('random'):
entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
entry_attrs['userpassword'] = ipa_generate_password(
characters=host_pwd_chars, pwd_len=GEN_TMP_PWD_LEN)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
certs = options.get('usercertificate', [])

View File

@ -47,7 +47,7 @@ from ipalib.util import set_krbcanonicalname
from ipalib import _, ngettext
from ipalib import output
from ipaplatform.paths import paths
from ipapython.ipautil import ipa_generate_password
from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
from ipalib.capabilities import client_has_capability
if six.PY3:
@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
# If requested, generate a userpassword
if 'userpassword' not in entry_attrs and options.get('random'):
entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
entry_attrs['userpassword'] = ipa_generate_password(
baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])

View File

@ -63,7 +63,7 @@ from ipalib import _, ngettext
from ipalib import output
from ipaplatform.paths import paths
from ipapython.dn import DN
from ipapython.ipautil import ipa_generate_password
from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
from ipalib.capabilities import client_has_capability
if api.env.in_server:
@ -517,7 +517,8 @@ class user_add(baseuser_add):
entry_attrs['gidnumber'] = group_attrs['gidnumber']
if 'userpassword' not in entry_attrs and options.get('random'):
entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
entry_attrs['userpassword'] = ipa_generate_password(
baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])