https://fedorahosted.org/freeipa/ticket/2796 -- David Kupka
From c0fb9fe49a8b7eb190414571df211c87ba9c3166 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Fri, 18 Jul 2014 10:06:55 +0200 Subject: [PATCH] Improve password validity check.
Allow use of characters that no longer cause troubles. Check for leading and trailing characters in case of 389 Direcory Manager password. https://fedorahosted.org/freeipa/ticket/2796 --- install/tools/ipa-server-install | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 671a226d625ab9e8168c569a6d83c35dfae52115..5b107c3ff3b61f87c30561a1aeed5ab65cf0bf27 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -121,7 +121,37 @@ def validate_dm_password(password): raise ValueError("Password must only contain ASCII characters") # Disallow characters that pkisilent doesn't process properly: - bad_characters = ' &\\<%' + bad_characters = '\\' + if any(c in bad_characters for c in password): + raise ValueError('Password must not contain these characters: %s' % + ', '.join('"%s"' % c for c in bad_characters)) + + # TODO: Check https://fedorahosted.org/389/ticket/47849 + # Actual behavior of setup-ds.pl is that it does not accept white + # space characters in password when called interactively but does when + # provided such password in INF file. But it ignores leading and trailing + # white spaces in INF file. + + # Disallow leading spaces (other white spaces are checked before) + bad_prefix = ' ' + if password.startswith(bad_prefix): + raise ValueError('Password must not start with %s.' % bad_prefix) + + # Disallow trailing spaces (other white spaces are checked before) + bad_suffix = ' ' + if password.endswith(bad_suffix): + raise ValueError('Password must not end with %s.' % bad_prefix) + +def validate_admin_password(password): + if len(password) < 8: + raise ValueError("Password must be at least 8 characters long") + if any(ord(c) < 0x20 for c in password): + raise ValueError("Password must not contain control characters") + if any(ord(c) >= 0x7F for c in password): + raise ValueError("Password must only contain ASCII characters") + + # Disallow characters that pkisilent doesn't process properly: + bad_characters = '\\' if any(c in bad_characters for c in password): raise ValueError('Password must not contain these characters: %s' % ', '.join('"%s"' % c for c in bad_characters)) @@ -450,7 +480,7 @@ def read_admin_password(): print "This user is a regular system account used for IPA server administration." print "" #TODO: provide the option of generating a random password - admin_password = read_password("IPA admin") + admin_password = read_password("IPA admin", validator=validate_admin_password) return admin_password def check_dirsrv(unattended): -- 1.9.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel