IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Password generation and logging in ipa-server-install

Browse Source 
When a randomly generated password contains a space character
as the first or the last character, installation fails on
kdb5_ldap_util calling, which does not accept that. This patch
fixes the generator to generate space only on allowed position.

This patch also ensures that no password is printed to
server install log.

https://fedorahosted.org/freeipa/ticket/731
This commit is contained in:
Martin Kosek 2011-01-18 12:31:16 +01:00 committed by Simo Sorce
parent 38bce669da
commit e73efb9a90
3 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ipapython/ipautil.py
View File

@ -20,6 +20,8 @@
SHARE_DIR = "/usr/share/ipa/" SHARE_DIR = "/usr/share/ipa/"
PLUGINS_SHARE_DIR = "/usr/share/ipa/plugins" PLUGINS_SHARE_DIR = "/usr/share/ipa/plugins"
GEN_PWD_LEN = 12
import string import string
import tempfile import tempfile
import logging import logging
@ -422,8 +424,15 @@ def parse_generalized_time(timestr):
def ipa_generate_password(): def ipa_generate_password():
rndpwd = '' rndpwd = ''
r = random.SystemRandom() r = random.SystemRandom()
for x in range(12): for x in range(GEN_PWD_LEN):
rndpwd += chr(r.randint(32,126)) # do not generate space (chr(32)) as the first or last character
if x == 0 or x == (GEN_PWD_LEN-1):
rndchar = chr(r.randint(33,126))
else:
rndchar = chr(r.randint(32,126))
rndpwd += rndchar
return rndpwd return rndpwd

2
ipaserver/install/krbinstance.py
View File

@ -335,7 +335,7 @@ class KrbInstance(service.Service):
#populate the directory with the realm structure #populate the directory with the realm structure
args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
try: try:
ipautil.run(args) ipautil.run(args, nolog=(self.kdc_password, self.master_password))
except ipautil.CalledProcessError, e: except ipautil.CalledProcessError, e:
print "Failed to populate the realm structure in kerberos", e print "Failed to populate the realm structure in kerberos", e

7
ipaserver/install/service.py
View File

@ -124,12 +124,17 @@ class Service:
fd = None fd = None
path = ipautil.SHARE_DIR + ldif path = ipautil.SHARE_DIR + ldif
hostname = installutils.get_fqdn() hostname = installutils.get_fqdn()
nologlist=()
if sub_dict is not None: if sub_dict is not None:
txt = ipautil.template_file(path, sub_dict) txt = ipautil.template_file(path, sub_dict)
fd = ipautil.write_tmp_file(txt) fd = ipautil.write_tmp_file(txt)
path = fd.name path = fd.name
# do not log passwords
if sub_dict.has_key('PASSWORD'):
nologlist = sub_dict['PASSWORD'],
if self.dm_password: if self.dm_password:
[pw_fd, pw_name] = tempfile.mkstemp() [pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, self.dm_password) os.write(pw_fd, self.dm_password)
@ -143,7 +148,7 @@ class Service:
try: try:
try: try:
ipautil.run(args) ipautil.run(args, nolog=nologlist)
except ipautil.CalledProcessError, e: except ipautil.CalledProcessError, e:
logging.critical("Failed to load %s: %s" % (ldif, str(e))) logging.critical("Failed to load %s: %s" % (ldif, str(e)))
finally: finally: