Increase default length of auto generated passwords

Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation

Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.

https://fedorahosted.org/freeipa/ticket/6116

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 3b9388f60..a219e3dac 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -47,7 +47,7 @@ from ipalib.util import set_krbcanonicalname
 from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
-from ipapython.ipautil import ipa_generate_password
+from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
 from ipalib.capabilities import client_has_capability
 
 if six.PY3:
@@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
 
         # If requested, generate a userpassword
         if 'userpassword' not in entry_attrs and options.get('random'):
-            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])