URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8db5b277a079fdfe5efbd7d49311f14489cee0e8
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
stlaz commented:
"""
I don't see any merge conflicts and the rebase was automatic so I don't see
why, but ok. Just note that ipatool may be confused with me commiting
@pspacek's commit as he
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
PR needs rebase
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/317#issuecomment-270705142
--
Manage your subscription for the Freeipa-devel
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
I would like to review this as well, so removing ACK to prevent pushing this to
master
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
pspacek commented:
"""
Works for me, server installation including DNSSEC worked fine.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/317#issuecomment-268575899
--
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
pspacek commented:
"""
Talk is cheap so here is the code!
~~~
import math
import string
import random
class TokenGenerator(object):
"""Tunable token generator."""
# without: = # ' "
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
pspacek commented:
"""
The main problem here is that we are mixing two approaches together, i.e.
entropy specification using bits + specification using character classes etc.
which used to
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
stlaz commented:
"""
Correct me if I'm wrong here but I believe we're going for the scenario where
the attacker has to guess the `xxx` bits of entropy and they know that they
have to do it.
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
stlaz commented:
"""
Correct me if I'm wrong here but I believe we're going for the scenario where
the attacker has to guess the `xxx` bits of entropy and they know that they
have to do it.
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
stlaz commented:
"""
Correct me if I'm wrong here but I believe we're going for the scenario where
the attacker has to guess the `xxx` bits of entropy and they know that they
have to do it.
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
pspacek commented:
"""
@mbasti-rh You are missing the point and thus do not answer my question: The
docstring does not tell anything about relation of 'entropy' and the output.
What is the
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
It generates random tokens than can be used as:
- passwords
- anything else that should be random
It is written in class docstring
Yes we can randomly generate
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
pspacek commented:
"""
Guys, I'm confused. What exactly is the purpose of `TokenGenerator`? The
docstring does not explain to me what is relation between arguments in
`__init__` and
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
@tiran True, I would like to have there at least assert witch prevents devs to
use more than let say 15% per class and more than 50% together, to prevent
silly
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
@tiran True, I would like to have there at least assert witch prevents devs to
use more than let say 15% per class and more than 50% together, to prevent
silly
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
tiran commented:
"""
@mbasti-rh ```uppercase + lowercase + num + special``` should be limited to a
sensible value. A large value invalidates the formula that calculates the
length of the
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
@tiran IMO you need check `length > uppercase + lowercase + num + special`,
otherwise infinity loop
but generally LGTM
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
tiran commented:
"""
```
#!/usr/bin/python3
import math
import random
import string
class TokenGenerator(object):
"""Simple, tunable token generator
TokenGenerator(uppercase=3,
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
tiran commented:
"""
@mbasti-rh I probably misunderstood your intention. I read your comment as
"Replace it with something sane, the sane thing is sha1".
By the way I'm currently tangled up
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
@tiran @simo5 If you read my comments properly I was happy with removing sha1()
and I pointed out that ipa_generate_password() must generate entropy 160bits as
was
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
tiran commented:
"""
@stlaz Your patch looks good. My comment regarding SHA1 was aimed at comment
https://github.com/freeipa/freeipa/pull/317#issuecomment-265440651 . The
suggestion of SHA1
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
simo5 commented:
"""
We may need a max length argument if we are dealing with some stuff that has
issues with more then max length caracters ... In that case we can warn (or
raise, we'll
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
stlaz commented:
"""
@simo5 I was actually trying to get rid of SHA-1 and I am aware that entropy
will not be raised, that part of the code draw a smile on some of our faces
here, really :)
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
tiran commented:
"""
Please don't use a hack like sha1() to turn a random byte sequence into a hex
value. At best sha1 keeps the entropy of the input. I also don't like the fact
that the
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
simo5 commented:
"""
@stlaz SHA-1 DOES NOT add entropy at all, you need the right number of bits in
INPUT for whatever trasformation you use.
@mbasti-rh in what way FIPS is incompatible with
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
simo5 commented:
"""
@stiaz, SHA-1 DOES NOT add entropy at all, you need the right number of bits in
INPUT for whatever trasformation you use.
@mbasti-rh in what way FIPS is incompatible with
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
stlaz commented:
"""
Apparently, spaces are ok even in HTTP password.conf so I guess we can leave it
there.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
stlaz commented:
"""
NSS does support spaces in its passwords it seems. My hopes are that HTTP will
be able to understand spaces in its password.conf file.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
> The passwords should have around the same entropy now. SHA-1 actually
> produces 160bit outputs (hence 40-characters long hexadecimal digests), so I
> recounted it
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
stlaz commented:
"""
The passwords should have around the same entropy now. SHA-1 actually produces
160bit outputs (hence 40-characters long hexadecimal digests), so I recounted
it for
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
Please replace this by something sane,
```
return sha1(ipautil.ipa_generate_password()).hexdigest()
```
security by obscurity worked well in Roman empire, but now
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
mbasti-rh commented:
"""
NACK
You replaced os.random() by ipa_generate_password, but ipa_generate password
does not generate random bytes but random printable characters (entropy--) so
you
32 matches
Mail list logo