ipa_generate_password algorithm change

A change to the algorithm that generates random passwords for multiple purposes throught IPA. This spells out the need to assess password strength by the entropy it contains rather than its length. This new password generation should also be compatible with the NSS implementation of password requirements in FIPS environment so that newly created databases won't fail with wrong authentication. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
author: Petr Spacek <pspacek@redhat.com> 2016-12-21 15:07:34 +0100
committer: Martin Basti <mbasti@redhat.com> 2017-01-06 09:26:56 +0100
commit: fb7c111ac13510609e2cba14ecf88cd2ed291a4b (patch)
tree: 3c963ca45514bbd66706a27175726a19a9f87713 /ipaserver/plugins
parent: 8db5b277a079fdfe5efbd7d49311f14489cee0e8 (diff)
download: freeipa-fb7c111ac13510609e2cba14ecf88cd2ed291a4b.tar.gz
freeipa-fb7c111ac13510609e2cba14ecf88cd2ed291a4b.tar.xz
freeipa-fb7c111ac13510609e2cba14ecf88cd2ed291a4b.zip
4 files changed, 10 insertions, 20 deletions
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 4c7e9f083..85ad41768 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -17,8 +17,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import string
-
 import six
 
 from ipalib import api, errors
@@ -35,7 +33,7 @@ from ipalib.request import context
 from ipalib import _
 from ipalib.constants import PATTERN_GROUPUSER_NAME
 from ipapython import kerberos
-from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
+from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
 from ipapython.ipavalidate import Email
 from ipalib.util import (
     normalize_sshpubkey,
@@ -75,8 +73,6 @@ UPG_DEFINITION_DN = DN(('cn', 'UPG Definition'),
                        ('cn', 'etc'),
                        api.env.basedn)
 
-# characters to be used for generating random user passwords
-baseuser_pwdchars = string.digits + string.ascii_letters + '_,.@+-='
 
 def validate_nsaccountlock(entry_attrs):
     if 'nsaccountlock' in entry_attrs:
@@ -554,7 +550,7 @@ class baseuser_mod(LDAPUpdate):
     def check_userpassword(self, entry_attrs, **options):
         if 'userpassword' not in entry_attrs and options.get('random'):
             entry_attrs['userpassword'] = ipa_generate_password(
-                baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
+                entropy_bits=TMP_PWD_ENTROPY_BITS)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
 
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 957a1edcf..58e711f34 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -21,7 +21,6 @@
 from __future__ import absolute_import
 
 import dns.resolver
-import string
 
 import six
 
@@ -62,7 +61,7 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
 from ipapython.ipautil import (
     ipa_generate_password,
     CheckedIPAddress,
-    GEN_TMP_PWD_LEN
+    TMP_PWD_ENTROPY_BITS
 )
 from ipapython.dnsutil import DNSName
 from ipapython.ssh import SSHPublicKey
@@ -136,10 +135,6 @@ EXAMPLES:
 
 register = Registry()
 
-# Characters to be used by random password generator
-# The set was chosen to avoid the need for escaping the characters by user
-host_pwd_chars = string.digits + string.ascii_letters + '_,.@+-='
-
 
 def remove_ptr_rec(ipaddr, fqdn):
     """
@@ -688,7 +683,7 @@ class host_add(LDAPCreate):
                 entry_attrs['objectclass'].remove('krbprincipal')
         if options.get('random'):
             entry_attrs['userpassword'] = ipa_generate_password(
-                characters=host_pwd_chars, pwd_len=GEN_TMP_PWD_LEN)
+                entropy_bits=TMP_PWD_ENTROPY_BITS)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
         certs = options.get('usercertificate', [])
@@ -915,7 +910,8 @@ class host_mod(LDAPUpdate):
             entry_attrs['usercertificate'] = certs_der
 
         if options.get('random'):
-            entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                entropy_bits=TMP_PWD_ENTROPY_BITS)
             setattr(context, 'randompassword', entry_attrs['userpassword'])
 
         if 'macaddress' in entry_attrs:
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 1da43ecb6..afd402ea2 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -38,7 +38,6 @@ from .baseuser import (
     baseuser_find,
     baseuser_show,
     NO_UPG_MAGIC,
-    baseuser_pwdchars,
     baseuser_output_params,
     baseuser_add_manager,
     baseuser_remove_manager)
@@ -47,7 +46,7 @@ from ipalib.util import set_krbcanonicalname
 from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
-from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
+from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
 from ipalib.capabilities import client_has_capability
 
 if six.PY3:
@@ -340,7 +339,7 @@ class stageuser_add(baseuser_add):
         # If requested, generate a userpassword
         if 'userpassword' not in entry_attrs and options.get('random'):
             entry_attrs['userpassword'] = ipa_generate_password(
-                baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
+                entropy_bits=TMP_PWD_ENTROPY_BITS)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
 
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 529609314..64405483a 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -38,7 +38,6 @@ from .baseuser import (
     NO_UPG_MAGIC,
     UPG_DEFINITION_DN,
     baseuser_output_params,
-    baseuser_pwdchars,
     validate_nsaccountlock,
     convert_nsaccountlock,
     fix_addressbook_permission_bindrule,
@@ -63,7 +62,7 @@ from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
 from ipapython.dn import DN
-from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
+from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
 from ipalib.capabilities import client_has_capability
 
 if api.env.in_server:
@@ -529,7 +528,7 @@ class user_add(baseuser_add):
 
         if 'userpassword' not in entry_attrs and options.get('random'):
             entry_attrs['userpassword'] = ipa_generate_password(
-                baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
+                entropy_bits=TMP_PWD_ENTROPY_BITS)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
author	Petr Spacek <pspacek@redhat.com>	2016-12-21 15:07:34 +0100
committer	Martin Basti <mbasti@redhat.com>	2017-01-06 09:26:56 +0100
commit	fb7c111ac13510609e2cba14ecf88cd2ed291a4b (patch)
tree	3c963ca45514bbd66706a27175726a19a9f87713 /ipaserver/plugins
parent	8db5b277a079fdfe5efbd7d49311f14489cee0e8 (diff)
download	freeipa-fb7c111ac13510609e2cba14ecf88cd2ed291a4b.tar.gz freeipa-fb7c111ac13510609e2cba14ecf88cd2ed291a4b.tar.xz freeipa-fb7c111ac13510609e2cba14ecf88cd2ed291a4b.zip