On 29.07.2016 17:09, Alexander Bokovoy wrote:
On Fri, 29 Jul 2016, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/6116


Patch attached


From ca5305e032137b7c9197d0c1050191079a72124e Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Fri, 22 Jul 2016 16:41:29 +0200
Subject: [PATCH] Increase default length of auto generated passwords

Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation

Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.

https://fedorahosted.org/freeipa/ticket/6116
ACK with a minor comment.

---
ipapython/ipautil.py           | 2 +-
ipaserver/plugins/baseuser.py  | 3 ++-
ipaserver/plugins/host.py      | 3 ++-
ipaserver/plugins/stageuser.py | 3 ++-
ipaserver/plugins/user.py      | 3 ++-
5 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 9964fba4f694b57242b3bd3065a418917d977533..ca7e81d666cd6c345bdbbf4660c3451ac1f2c045 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -57,7 +57,7 @@ from ipapython.dn import DN
SHARE_DIR = paths.USR_SHARE_IPA_DIR
PLUGINS_SHARE_DIR = paths.IPA_PLUGINS

-GEN_PWD_LEN = 12
+GEN_PWD_LEN = 22
It would be good to add a temporary password constant too
+GEN_TMP_PWD_LEN = 12

and then use it instead of pwd_len=12 below.

# Having this in krb_utils would cause circular import
KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index e4288a5a131157815ffb2452692a7edb342f6ac3..5e0752c8d3d246fa7c283f05b82ef01de2e5bf34 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):

    def check_userpassword(self, entry_attrs, **options):
        if 'userpassword' not in entry_attrs and options.get('random'):
- entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                baseuser_pwdchars, pwd_len=12)
            # save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 413dcf15e0423170d8334902b9dcf8fb5aa14de6..1cefb6224e1a6dad0080369edee35c4524e5bd39 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -683,7 +683,8 @@ class host_add(LDAPCreate):
            if 'krbprincipal' in entry_attrs['objectclass']:
entry_attrs['objectclass'].remove('krbprincipal')
        if options.get('random'):
- entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                characters=host_pwd_chars, pwd_len=12)
            # save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
        certs = options.get('usercertificate', [])
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py index 3b9388f6020b9a6c40caedd36f3640a05a13da65..6df189c3913171b4990ce115b296b19c7447592d 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):

        # If requested, generate a userpassword
        if 'userpassword' not in entry_attrs and options.get('random'):
- entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                baseuser_pwdchars, pwd_len=12)
            # save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])

diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..62ec529062c7ac39661df2a8c3d2277711268b11 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -517,7 +517,8 @@ class user_add(baseuser_add):
                entry_attrs['gidnumber'] = group_attrs['gidnumber']

        if 'userpassword' not in entry_attrs and options.get('random'):
- entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                baseuser_pwdchars, pwd_len=12)
            # save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])

--
2.5.5


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Thanks
Updated patch attached

Martin^2
From 81beb652bc81a8e73876f876507a7dabd338667b Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Fri, 22 Jul 2016 16:41:29 +0200
Subject: [PATCH] Increase default length of auto generated passwords

Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation

Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.

https://fedorahosted.org/freeipa/ticket/6116
---
 ipapython/ipautil.py           | 3 ++-
 ipaserver/plugins/baseuser.py  | 5 +++--
 ipaserver/plugins/host.py      | 9 +++++++--
 ipaserver/plugins/stageuser.py | 5 +++--
 ipaserver/plugins/user.py      | 5 +++--
 5 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 17d92b06ffa22019de198b59611585cb3f0b7f42..9536543556775a2cc9f9f8205e21bb995e202fe1 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -57,7 +57,8 @@ from ipapython.dn import DN
 SHARE_DIR = paths.USR_SHARE_IPA_DIR
 PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
 
-GEN_PWD_LEN = 12
+GEN_PWD_LEN = 22
+GEN_TMP_PWD_LEN = 12  # only for OTP password that is manually retyped by user
 
 # Having this in krb_utils would cause circular import
 KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index e4288a5a131157815ffb2452692a7edb342f6ac3..5e36a6620295351d4745bfc035f24349f8fb8295 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -34,7 +34,7 @@ from ipaserver.plugins.service import (
 from ipalib.request import context
 from ipalib import _
 from ipapython import kerberos
-from ipapython.ipautil import ipa_generate_password
+from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
 from ipapython.ipavalidate import Email
 from ipalib.util import (
     normalize_sshpubkey,
@@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
 
     def check_userpassword(self, entry_attrs, **options):
         if 'userpassword' not in entry_attrs and options.get('random'):
-            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
 
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 413dcf15e0423170d8334902b9dcf8fb5aa14de6..03c64c637cbba0aee1b6569f3b5dbe200953bff8 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -59,7 +59,11 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
     hostname_validator,
     set_krbcanonicalname
 )
-from ipapython.ipautil import ipa_generate_password, CheckedIPAddress
+from ipapython.ipautil import (
+    ipa_generate_password,
+    CheckedIPAddress,
+    GEN_TMP_PWD_LEN
+)
 from ipapython.dnsutil import DNSName
 from ipapython.ssh import SSHPublicKey
 from ipapython.dn import DN
@@ -683,7 +687,8 @@ class host_add(LDAPCreate):
             if 'krbprincipal' in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].remove('krbprincipal')
         if options.get('random'):
-            entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                characters=host_pwd_chars, pwd_len=GEN_TMP_PWD_LEN)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
         certs = options.get('usercertificate', [])
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 3b9388f6020b9a6c40caedd36f3640a05a13da65..a219e3dace6da5e9c036122e9710b2acaaa42ebf 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -47,7 +47,7 @@ from ipalib.util import set_krbcanonicalname
 from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
-from ipapython.ipautil import ipa_generate_password
+from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
 from ipalib.capabilities import client_has_capability
 
 if six.PY3:
@@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
 
         # If requested, generate a userpassword
         if 'userpassword' not in entry_attrs and options.get('random'):
-            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
 
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..935ea892cde9e2cb5b21f4714fd93e73c3fa53d5 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -63,7 +63,7 @@ from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
 from ipapython.dn import DN
-from ipapython.ipautil import ipa_generate_password
+from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
 from ipalib.capabilities import client_has_capability
 
 if api.env.in_server:
@@ -517,7 +517,8 @@ class user_add(baseuser_add):
                 entry_attrs['gidnumber'] = group_attrs['gidnumber']
 
         if 'userpassword' not in entry_attrs and options.get('random'):
-            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
 
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to