From e73efb9a9000c2efb73297340c6268d59a11b6fc Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 18 Jan 2011 12:31:16 +0100 Subject: [PATCH] Password generation and logging in ipa-server-install When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position. This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731 --- ipapython/ipautil.py | 13 +++++++++++-- ipaserver/install/krbinstance.py | 2 +- ipaserver/install/service.py | 7 ++++++- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 77c838e80..8ce8bb970 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -20,6 +20,8 @@ SHARE_DIR = "/usr/share/ipa/" PLUGINS_SHARE_DIR = "/usr/share/ipa/plugins" +GEN_PWD_LEN = 12 + import string import tempfile import logging @@ -422,8 +424,15 @@ def parse_generalized_time(timestr): def ipa_generate_password(): rndpwd = '' r = random.SystemRandom() - for x in range(12): - rndpwd += chr(r.randint(32,126)) + for x in range(GEN_PWD_LEN): + # do not generate space (chr(32)) as the first or last character + if x == 0 or x == (GEN_PWD_LEN-1): + rndchar = chr(r.randint(33,126)) + else: + rndchar = chr(r.randint(32,126)) + + rndpwd += rndchar + return rndpwd diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index d89ad0b33..e7c111637 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -335,7 +335,7 @@ class KrbInstance(service.Service): #populate the directory with the realm structure args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] try: - ipautil.run(args) + ipautil.run(args, nolog=(self.kdc_password, self.master_password)) except ipautil.CalledProcessError, e: print "Failed to populate the realm structure in kerberos", e diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 27c55618e..ef3becdf3 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -124,12 +124,17 @@ class Service: fd = None path = ipautil.SHARE_DIR + ldif hostname = installutils.get_fqdn() + nologlist=() if sub_dict is not None: txt = ipautil.template_file(path, sub_dict) fd = ipautil.write_tmp_file(txt) path = fd.name + # do not log passwords + if sub_dict.has_key('PASSWORD'): + nologlist = sub_dict['PASSWORD'], + if self.dm_password: [pw_fd, pw_name] = tempfile.mkstemp() os.write(pw_fd, self.dm_password) @@ -143,7 +148,7 @@ class Service: try: try: - ipautil.run(args) + ipautil.run(args, nolog=nologlist) except ipautil.CalledProcessError, e: logging.critical("Failed to load %s: %s" % (ldif, str(e))) finally: