Password generation and logging in ipa-server-install

When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position. This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731
2025-02-25 18:55:28 -06:00 · 2011-01-18 12:31:16 +01:00 · 2011-01-18 12:31:16 +01:00 · e73efb9a90
commit e73efb9a90
parent 38bce669da
3 changed files with 18 additions and 4 deletions
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@ -20,6 +20,8 @@
 SHARE_DIR = "/usr/share/ipa/"
 PLUGINS_SHARE_DIR = "/usr/share/ipa/plugins"

+GEN_PWD_LEN = 12
+
 import string
 import tempfile
 import logging
@ -422,8 +424,15 @@ def parse_generalized_time(timestr):
 def ipa_generate_password():
    rndpwd = ''
    r = random.SystemRandom()
-    for x in range(12):
-        rndpwd += chr(r.randint(32,126))
+    for x in range(GEN_PWD_LEN):
+        # do not generate space (chr(32)) as the first or last character
+        if x == 0 or x == (GEN_PWD_LEN-1):
+            rndchar = chr(r.randint(33,126))
+        else:
+            rndchar = chr(r.randint(32,126))
+
+        rndpwd += rndchar
+
    return rndpwd


--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -335,7 +335,7 @@ class KrbInstance(service.Service):
            #populate the directory with the realm structure
            args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
            try:
-                ipautil.run(args)
+                ipautil.run(args, nolog=(self.kdc_password, self.master_password))
            except ipautil.CalledProcessError, e:
                print "Failed to populate the realm structure in kerberos", e

--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -124,12 +124,17 @@ class Service:
        fd = None
        path = ipautil.SHARE_DIR + ldif
        hostname = installutils.get_fqdn()
+        nologlist=()

        if sub_dict is not None:
            txt = ipautil.template_file(path, sub_dict)
            fd = ipautil.write_tmp_file(txt)
            path = fd.name

+            # do not log passwords
+            if sub_dict.has_key('PASSWORD'):
+                nologlist = sub_dict['PASSWORD'],
+
        if self.dm_password:
            [pw_fd, pw_name] = tempfile.mkstemp()
            os.write(pw_fd, self.dm_password)
@ -143,7 +148,7 @@ class Service:

        try:
            try:
-                ipautil.run(args)
+                ipautil.run(args, nolog=nologlist)
            except ipautil.CalledProcessError, e:
                logging.critical("Failed to load %s: %s" % (ldif, str(e)))
        finally: