Unify password generation across FreeIPA

Also had to recalculate entropy of the passwords as originally, probability of generating each character was 1/256, however the default probability of each character in the ipa_generate_password is 1/95 (1/94 for first and last character). https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-12-06 09:05:42 +01:00 · 2016-12-06 09:05:42 +01:00 · 8db5b277a0
commit 8db5b277a0
parent be7865bf4f
6 changed files with 8 additions and 18 deletions
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@ -25,7 +25,6 @@ import shutil
 import xml.dom.minidom
 import pwd
 import base64
-from hashlib import sha1
 import fcntl
 import time
 import datetime
@ -159,9 +158,6 @@ class CertDB(object):
            perms |= stat.S_IWUSR
        os.chmod(fname, perms)

-    def gen_password(self):
-        return sha1(ipautil.ipa_generate_password()).hexdigest()
-
    def run_certutil(self, args, stdin=None, **kwargs):
        return self.nssdb.run_certutil(args, stdin, **kwargs)

@ -177,7 +173,7 @@ class CertDB(object):
        if ipautil.file_exists(self.noise_fname):
            os.remove(self.noise_fname)
        f = open(self.noise_fname, "w")
-        f.write(self.gen_password())
+        f.write(ipautil.ipa_generate_password(pwd_len=25))
        self.set_perms(self.noise_fname)

    def create_passwd_file(self, passwd=None):
@ -186,7 +182,7 @@ class CertDB(object):
        if passwd is not None:
            f.write("%s\n" % passwd)
        else:
-            f.write(self.gen_password())
+            f.write(ipautil.ipa_generate_password(pwd_len=25))
        f.close()
        self.set_perms(self.passwd_fname)

--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@ -18,7 +18,6 @@
 #

 import base64
-import binascii
 import ldap
 import os
 import shutil
@ -428,7 +427,7 @@ class DogtagInstance(service.Service):

    def setup_admin(self):
        self.admin_user = "admin-%s" % self.fqdn
-        self.admin_password = binascii.hexlify(os.urandom(16))
+        self.admin_password = ipautil.ipa_generate_password(pwd_len=20)
        self.admin_dn = DN(('uid', self.admin_user),
                           ('ou', 'people'), ('o', 'ipaca'))

--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -508,7 +508,7 @@ class DsInstance(service.Service):
            idrange_size = None
        self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid,
                             PASSWORD=self.dm_password,
-                             RANDOM_PASSWORD=self.generate_random(),
+                             RANDOM_PASSWORD=ipautil.ipa_generate_password(),
                             SUFFIX=self.suffix,
                             REALM=self.realm, USER=DS_USER,
                             SERVER_ROOT=server_root, DOMAIN=self.domain,
@ -775,9 +775,6 @@ class DsInstance(service.Service):
    def __add_enrollment_module(self):
        self._ldap_mod("enrollment-conf.ldif", self.sub_dict)

-    def generate_random(self):
-        return ipautil.ipa_generate_password()
-
    def __enable_ssl(self):
        dirname = config_dirname(self.serverid)
        dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -19,7 +19,6 @@

 from __future__ import print_function

-import binascii
 import os
 import os.path
 import pwd
@ -314,9 +313,9 @@ class HTTPInstance(service.Service):
            ipautil.backup_file(nss_path)

        # Create the password file for this db
-        hex_str = binascii.hexlify(os.urandom(10))
+        password = ipautil.ipa_generate_password(pwd_len=15)
        f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-        os.write(f, hex_str)
+        os.write(f, password)
        os.close(f)

        ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -45,7 +45,6 @@ from ipaserver.install.replication import (
    ReplicationManager, replica_conn_check)
 import SSSDConfig
 from subprocess import CalledProcessError
-from binascii import hexlify

 if six.PY3:
    unicode = str
@ -1303,7 +1302,7 @@ def install(installer):
                if conn.isconnected():
                    conn.disconnect()
                os.environ['KRB5CCNAME'] = ccache
-        config.dirman_password = hexlify(ipautil.ipa_generate_password())
+        config.dirman_password = ipautil.ipa_generate_password()

        # FIXME: allow to use passed in certs instead
        if ca_enabled:
--- a/ipaserver/secrets/store.py
+++ b/ipaserver/secrets/store.py
@ -122,7 +122,7 @@ class NSSCertDB(DBMAPHandler):
            with open(nsspwfile, 'w+') as f:
                f.write(self.nssdb_password)
            pk12pwfile = os.path.join(tdir, 'pk12pwfile')
-            password = b64encode(os.urandom(16))
+            password = ipautil.ipa_generate_password(pwd_len=20)
            with open(pk12pwfile, 'w+') as f:
                f.write(password)
            pk12file = os.path.join(tdir, 'pk12file')