mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 08:41:55 -06:00
Increase default length of auto generated passwords
Installer/IPA generates passwords for warious purpose: * KRA * kerberos master key * NSSDB password * temporary passwords during installation Length of passwords should be increased to 22, ~128bits of entropy, to be safe nowadays. https://fedorahosted.org/freeipa/ticket/6116 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
4e574cde72
commit
51ccde25f7
@ -57,7 +57,8 @@ from ipapython.dn import DN
|
||||
SHARE_DIR = paths.USR_SHARE_IPA_DIR
|
||||
PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
|
||||
|
||||
GEN_PWD_LEN = 12
|
||||
GEN_PWD_LEN = 22
|
||||
GEN_TMP_PWD_LEN = 12 # only for OTP password that is manually retyped by user
|
||||
|
||||
# Having this in krb_utils would cause circular import
|
||||
KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm
|
||||
|
@ -34,7 +34,7 @@ from ipaserver.plugins.service import (
|
||||
from ipalib.request import context
|
||||
from ipalib import _
|
||||
from ipapython import kerberos
|
||||
from ipapython.ipautil import ipa_generate_password
|
||||
from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
|
||||
from ipapython.ipavalidate import Email
|
||||
from ipalib.util import (
|
||||
normalize_sshpubkey,
|
||||
@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
|
||||
|
||||
def check_userpassword(self, entry_attrs, **options):
|
||||
if 'userpassword' not in entry_attrs and options.get('random'):
|
||||
entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
|
||||
entry_attrs['userpassword'] = ipa_generate_password(
|
||||
baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
|
||||
# save the password so it can be displayed in post_callback
|
||||
setattr(context, 'randompassword', entry_attrs['userpassword'])
|
||||
|
||||
|
@ -59,7 +59,11 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
|
||||
hostname_validator,
|
||||
set_krbcanonicalname
|
||||
)
|
||||
from ipapython.ipautil import ipa_generate_password, CheckedIPAddress
|
||||
from ipapython.ipautil import (
|
||||
ipa_generate_password,
|
||||
CheckedIPAddress,
|
||||
GEN_TMP_PWD_LEN
|
||||
)
|
||||
from ipapython.dnsutil import DNSName
|
||||
from ipapython.ssh import SSHPublicKey
|
||||
from ipapython.dn import DN
|
||||
@ -683,7 +687,8 @@ class host_add(LDAPCreate):
|
||||
if 'krbprincipal' in entry_attrs['objectclass']:
|
||||
entry_attrs['objectclass'].remove('krbprincipal')
|
||||
if options.get('random'):
|
||||
entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
|
||||
entry_attrs['userpassword'] = ipa_generate_password(
|
||||
characters=host_pwd_chars, pwd_len=GEN_TMP_PWD_LEN)
|
||||
# save the password so it can be displayed in post_callback
|
||||
setattr(context, 'randompassword', entry_attrs['userpassword'])
|
||||
certs = options.get('usercertificate', [])
|
||||
|
@ -47,7 +47,7 @@ from ipalib.util import set_krbcanonicalname
|
||||
from ipalib import _, ngettext
|
||||
from ipalib import output
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.ipautil import ipa_generate_password
|
||||
from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
|
||||
from ipalib.capabilities import client_has_capability
|
||||
|
||||
if six.PY3:
|
||||
@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
|
||||
|
||||
# If requested, generate a userpassword
|
||||
if 'userpassword' not in entry_attrs and options.get('random'):
|
||||
entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
|
||||
entry_attrs['userpassword'] = ipa_generate_password(
|
||||
baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
|
||||
# save the password so it can be displayed in post_callback
|
||||
setattr(context, 'randompassword', entry_attrs['userpassword'])
|
||||
|
||||
|
@ -63,7 +63,7 @@ from ipalib import _, ngettext
|
||||
from ipalib import output
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.dn import DN
|
||||
from ipapython.ipautil import ipa_generate_password
|
||||
from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
|
||||
from ipalib.capabilities import client_has_capability
|
||||
|
||||
if api.env.in_server:
|
||||
@ -517,7 +517,8 @@ class user_add(baseuser_add):
|
||||
entry_attrs['gidnumber'] = group_attrs['gidnumber']
|
||||
|
||||
if 'userpassword' not in entry_attrs and options.get('random'):
|
||||
entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
|
||||
entry_attrs['userpassword'] = ipa_generate_password(
|
||||
baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
|
||||
# save the password so it can be displayed in post_callback
|
||||
setattr(context, 'randompassword', entry_attrs['userpassword'])
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user