URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: opened
PR body: """ When installing FreeIPA in FIPS mode I noticed that there were often different ways of generating passwords in different spots raising the same issue with password requirements. Handling password generation at one centralized spot should allow us handle any password requirements issues at this very spot. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317
From d214b72d6b2299df29540151a86671b361f16167 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH] Unify password generation across FreeIPA https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++------ ipaserver/install/dogtaginstance.py | 3 +-- ipaserver/install/dsinstance.py | 5 +---- ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 45602ba..8673a48 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) - def gen_password(self): - return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") - f.write(self.gen_password()) + f.write(ipautil.ipa_generate_password()) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: - f.write(self.gen_password()) + f.write(ipautil.ipa_generate_password()) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..b2a569a 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn - self.admin_password = binascii.hexlify(os.urandom(16)) + self.admin_password = ipautil.ipa_generate_password(pwd_len=16) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 1be5ac7..09708dc 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -506,7 +506,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -773,9 +773,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) - def generate_random(self): - return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 15c3107..e822b3c 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db - hex_str = binascii.hexlify(os.urandom(10)) + password = ipautil.ipa_generate_password(pwd_len=10) f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) - os.write(f, hex_str) + os.write(f, password) os.close(f) ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"]) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index f1f7b1b..1d74faa 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -45,7 +45,6 @@ ReplicationManager, replica_conn_check) import SSSDConfig from subprocess import CalledProcessError -from binascii import hexlify if six.PY3: unicode = str @@ -1301,7 +1300,7 @@ def install(installer): if conn.isconnected(): conn.disconnect() os.environ['KRB5CCNAME'] = ccache - config.dirman_password = hexlify(ipautil.ipa_generate_password()) + config.dirman_password = ipautil.ipa_generate_password() # FIXME: allow to use passed in certs instead if ca_enabled: diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py index 1df7191..9d05c62 100644 --- a/ipaserver/secrets/store.py +++ b/ipaserver/secrets/store.py @@ -122,7 +122,7 @@ def export_key(self): with open(nsspwfile, 'w+') as f: f.write(self.nssdb_password) pk12pwfile = os.path.join(tdir, 'pk12pwfile') - password = b64encode(os.urandom(16)) + password = ipautil.ipa_generate_password(pwd_len=16) with open(pk12pwfile, 'w+') as f: f.write(password) pk12file = os.path.join(tdir, 'pk12file')
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code