I recently experienced an issue where special characters in the "ipa host-add" operation were interpreted by bash in an unattended provisioning script. In checking the log after the provisioning failure, I saw the password was considered incorrect by the server.
I never had this issue before 4.5.0 was released because prior to that, a smaller subset of special characters were allowed and any special character that needed to be escaped was removed. Upon further inspection, I discovered that the script I was using to provision my servers did not have the password quoted properly. I was able to modify that and the issue was resloved. Would it be better to exclude all special characters in the random password generation for host-add moving forward? When the special character set was expanded in 4.5.0, this could cause issues for people who were operating under the assumption that troublesome special characters were excluded. Here are some references for consideration. This is the original bug and the fix from 2012. This "fix" was removed in 4.5.0 and all special characters are now valid: https://bugzilla.redhat.com/show_bug.cgi?id=827392 Here is my pull request that will remove special characters from random OTP generation moving forward: https://github.com/freeipa/freeipa/pull/1505 Do you think it should be left to the user to properly quote variables or remove the possibility of the issue by removing special characters for the the host-add operation? Do you think that, since the whole array of special characters was opened up in 4.5.0, that this can be perceived as a "regression"? Thanks for your time, John Larson
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
