On 07/18/2014 12:52 PM, Martin Kosek wrote:
On 07/18/2014 12:33 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/2796


1) Would it be easier/more convenient to just implement following simple check
instead of bad_prefix/bad_suffix?

if password.strip() != password:
    raise ValueError('Password must not start or end with whitespace')


Yes it would. Edited patch attached.


2) The main goal of the ticket 2796 was not fixed yet. It sometimes happen that
when installation crashes somewhere right after pkicreate, it does not record
and and does not uninstall the PKI component during "ipa-server-install
--uninstall".

You may artificially invoke some crash in cainstance.py after pkicreate to test
it. When fixing it, check how is_configured() in Service object works an how
self.backup_state is called in other service modules (like dsinstance.py) where
the detection works correctly.

You're completely right, Martin. I was unable to reproduce the bug (to force pkicreate/pkispawn to fail) so I thought that it was fixed by the password restriction. Then I discovered that most of the banned characters for password are no longer causing troubles a focused on this. But it's yet another issue.


Martin


--
David Kupka
From e9985196820757e61b07eb6470b6dec66502f497 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Mon, 21 Jul 2014 15:53:07 +0200
Subject: [PATCH] Improve password validity check.

Allow use of characters that no longer cause troubles. Check for
leading and trailing characters in case of 389 Direcory Manager password.
---
 install/tools/ipa-server-install | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 671a226d625ab9e8168c569a6d83c35dfae52115..e05b5fce7b77059cac2ad2318827c1df3ee5706b 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -121,7 +121,31 @@ def validate_dm_password(password):
         raise ValueError("Password must only contain ASCII characters")
 
     # Disallow characters that pkisilent doesn't process properly:
-    bad_characters = ' &\\<%'
+    bad_characters = '\\'
+    if any(c in bad_characters for c in password):
+        raise ValueError('Password must not contain these characters: %s' %
+            ', '.join('"%s"' % c for c in bad_characters))
+
+    # TODO: Check https://fedorahosted.org/389/ticket/47849
+    # Actual behavior of setup-ds.pl is that it does not accept white
+    # space characters in password when called interactively but does when
+    # provided such password in INF file. But it ignores leading and trailing
+    # white spaces in INF file.
+
+    # Disallow leading/trailing whaitespaces 
+    if password.strip() != password:
+        raise ValueError('Password must not start or end with whitespace.')
+
+def validate_admin_password(password):
+    if len(password) < 8:
+        raise ValueError("Password must be at least 8 characters long")
+    if any(ord(c) < 0x20 for c in password):
+        raise ValueError("Password must not contain control characters")
+    if any(ord(c) >= 0x7F for c in password):
+        raise ValueError("Password must only contain ASCII characters")
+
+    # Disallow characters that pkisilent doesn't process properly:
+    bad_characters = '\\'
     if any(c in bad_characters for c in password):
         raise ValueError('Password must not contain these characters: %s' %
             ', '.join('"%s"' % c for c in bad_characters))
@@ -450,7 +474,7 @@ def read_admin_password():
     print "This user is a regular system account used for IPA server administration."
     print ""
     #TODO: provide the option of generating a random password
-    admin_password = read_password("IPA admin")
+    admin_password = read_password("IPA admin", validator=validate_admin_password)
     return admin_password
 
 def check_dirsrv(unattended):
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to