diff options
author | David Cantrell <dcantrell@redhat.com> | 2008-02-20 08:10:59 -1000 |
---|---|---|
committer | David Cantrell <dcantrell@redhat.com> | 2008-02-20 08:10:59 -1000 |
commit | 42f95909a18d2a2ae64109ccba8fcb2a681dd555 (patch) | |
tree | 612bb34715b8a1327022e1a9924bfefe9e822ad6 /instdata.py | |
parent | 4a1ba1a6a002651ecb5687aba6d0586647a57d8c (diff) | |
download | anaconda-42f95909a18d2a2ae64109ccba8fcb2a681dd555.tar.gz anaconda-42f95909a18d2a2ae64109ccba8fcb2a681dd555.tar.xz anaconda-42f95909a18d2a2ae64109ccba8fcb2a681dd555.zip |
Use SHA-512 by default for password encryption.
Encode passwords using SHA-512 by default. Users can override
this in a Kickstart file using the 'auth' command. The options
below determine the algorithm used:
--enablemd5 -or- --passalgo=md5 MD5
--passalgo=sha256 SHA-256
--passalgo=sha512 SHA-512
The previous default was MD5. glibc now supports SHA-256 and
SHA-512, so we are using the strongest of those choices by
default now.
Diffstat (limited to 'instdata.py')
-rw-r--r-- | instdata.py | 50 |
1 files changed, 32 insertions, 18 deletions
diff --git a/instdata.py b/instdata.py index b90af8d6b..e1175f2fe 100644 --- a/instdata.py +++ b/instdata.py @@ -72,7 +72,7 @@ class InstallData: self.timezone.setTimezoneInfo(self.instLanguage.getDefaultTimeZone()) self.users = None self.rootPassword = { "isCrypted": False, "password": "", "lock": False } - self.auth = "--enableshadow --enablemd5" + self.auth = "--enableshadow --passalgo=sha512" self.desktop = desktop.Desktop() self.upgrade = None if flags.cmdline.has_key("doupgrade"): @@ -150,12 +150,20 @@ class InstallData: def setUpgrade (self, bool): self.upgrade = bool - def write(self): - if self.auth.find("--enablemd5"): - useMD5 = True + # Reads the auth string and returns a string indicating our desired + # password encoding algorithm. + def getPassAlgo(self): + if self.auth.find("--enablemd5") != -1 or \ + self.auth.find("--passalgo=md5") != -1: + return 'md5' + elif self.auth.find("--passalgo=sha256") != -1: + return 'sha256' + elif self.auth.find("--passalgo=sha512") != -1: + return 'sha512' else: - useMD5 = False + return None + def write(self): self.instLanguage.write (self.anaconda.rootPath) if not self.isHeadless: @@ -175,16 +183,21 @@ class InstallData: except RuntimeError, msg: log.error("Error running %s: %s", args, msg) - self.network.write (self.anaconda.rootPath) - self.firewall.write (self.anaconda.rootPath) + self.network.write (self.anaconda.rootPath) + self.firewall.write (self.anaconda.rootPath) self.security.write (self.anaconda.rootPath) self.users = users.Users() + # make sure crypt_style in libuser.conf matches the salt we're using + users.createLuserConf(self.anaconda.rootPath, + algoname=self.getPassAlgo()) + # User should already exist, just without a password. self.users.setRootPassword(self.rootPassword["password"], - self.rootPassword["isCrypted"], useMD5, - self.rootPassword["lock"]) + self.rootPassword["isCrypted"], + self.rootPassword["lock"], + algo=self.getPassAlgo()) self.users.reset() @@ -202,19 +215,20 @@ class InstallData: root=self.anaconda.rootPath) for ud in self.ksdata.user.userList: - if not self.users.createUser(ud.name, ud.password, ud.isCrypted, - ud.groups, ud.homedir, ud.shell, - ud.uid, ud.lock, + if not self.users.createUser(name=ud.name, + password=ud.password, + isCrypted=ud.isCrypted, + groups=ud.groups, + homedir=ud.homedir, + shell=ud.shell, + uid=ud.uid, + algo=self.getPassAlgo(), + lock=ud.lock, root=self.anaconda.rootPath): log.error("User %s already exists, not creating." % ud.name) def writeKS(self, filename): - if self.auth.find("--enablemd5"): - useMD5 = True - else: - useMD5 = False - f = open(filename, "w") f.write("# Kickstart file automatically generated by anaconda.\n\n") @@ -243,7 +257,7 @@ class InstallData: if self.rootPassword["isCrypted"]: args = " --iscrypted %s" % self.rootPassword["password"] else: - args = " --iscrypted %s" % users.cryptPassword(self.rootPassword["password"], useMD5) + args = " --iscrypted %s" % users.cryptPassword(self.rootPassword["password"], algo=self.getPassAlgo()) if self.rootPassword["lock"]: args += " --lock" |