When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position.
This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731
>From a669e023bd5956da93395b752fa1f888b30c8d5a Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Tue, 18 Jan 2011 12:31:16 +0100 Subject: [PATCH] Password generation and logging in ipa-server-install When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position. This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731 --- ipapython/ipautil.py | 13 +++++++++++-- ipaserver/install/krbinstance.py | 2 +- ipaserver/install/service.py | 7 ++++++- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 77c838e80baf03eb9f6101580f8c17537060c48d..8ce8bb9703e9b8aa734041cfbd53e04f8819b7c0 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -20,6 +20,8 @@ SHARE_DIR = "/usr/share/ipa/" PLUGINS_SHARE_DIR = "/usr/share/ipa/plugins" +GEN_PWD_LEN = 12 + import string import tempfile import logging @@ -422,8 +424,15 @@ def parse_generalized_time(timestr): def ipa_generate_password(): rndpwd = '' r = random.SystemRandom() - for x in range(12): - rndpwd += chr(r.randint(32,126)) + for x in range(GEN_PWD_LEN): + # do not generate space (chr(32)) as the first or last character + if x == 0 or x == (GEN_PWD_LEN-1): + rndchar = chr(r.randint(33,126)) + else: + rndchar = chr(r.randint(32,126)) + + rndpwd += rndchar + return rndpwd diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index d89ad0b3348d3e2216627cc78c0d056cea11b0fd..e7c1116377a66954ecf4c024510e6d9dd79ba69d 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -335,7 +335,7 @@ class KrbInstance(service.Service): #populate the directory with the realm structure args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] try: - ipautil.run(args) + ipautil.run(args, nolog=(self.kdc_password, self.master_password)) except ipautil.CalledProcessError, e: print "Failed to populate the realm structure in kerberos", e diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 27c55618e70cbdc2c76d012739733eba705924f0..ef3becdf38c01f94fd82e4d1dd7c3e5cde9cce5a 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -124,12 +124,17 @@ class Service: fd = None path = ipautil.SHARE_DIR + ldif hostname = installutils.get_fqdn() + nologlist=() if sub_dict is not None: txt = ipautil.template_file(path, sub_dict) fd = ipautil.write_tmp_file(txt) path = fd.name + # do not log passwords + if sub_dict.has_key('PASSWORD'): + nologlist = sub_dict['PASSWORD'], + if self.dm_password: [pw_fd, pw_name] = tempfile.mkstemp() os.write(pw_fd, self.dm_password) @@ -143,7 +148,7 @@ class Service: try: try: - ipautil.run(args) + ipautil.run(args, nolog=nologlist) except ipautil.CalledProcessError, e: logging.critical("Failed to load %s: %s" % (ldif, str(e))) finally: -- 1.7.3.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
