From da605eb84f7d5de741225ff936447db01690a04f Mon Sep 17 00:00:00 2001
From: Justin Santa Barbara <justin@fathomdb.com>
Date: Mon, 14 Mar 2011 20:48:33 -0700
Subject: Don't generate insecure passwords where it's easy to use urandom
 instead

---
 nova/console/manager.py |  2 +-
 nova/console/xvp.py     |  4 ----
 nova/utils.py           | 15 ++++++++++-----
 3 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/nova/console/manager.py b/nova/console/manager.py
index 57c75cf4f..bfa571ea9 100644
--- a/nova/console/manager.py
+++ b/nova/console/manager.py
@@ -69,7 +69,7 @@ class ConsoleProxyManager(manager.Manager):
         except exception.NotFound:
             logging.debug(_("Adding console"))
             if not password:
-                password = self.driver.generate_password()
+                password = utils.generate_password(8)
             if not port:
                 port = self.driver.get_port(context)
             console_data = {'instance_name': name,
diff --git a/nova/console/xvp.py b/nova/console/xvp.py
index 68d8c8565..0cedfbb13 100644
--- a/nova/console/xvp.py
+++ b/nova/console/xvp.py
@@ -91,10 +91,6 @@ class XVPConsoleProxy(object):
         """Trim password to length, and encode"""
         return self._xvp_encrypt(password)
 
-    def generate_password(self, length=8):
-        """Returns random console password"""
-        return os.urandom(length * 2).encode('base64')[:length]
-
     def _rebuild_xvp_conf(self, context):
         logging.debug(_("Rebuilding xvp conf"))
         pools = [pool for pool in
diff --git a/nova/utils.py b/nova/utils.py
index 87e726394..9c8b27d56 100644
--- a/nova/utils.py
+++ b/nova/utils.py
@@ -263,12 +263,17 @@ def generate_mac():
 
 
 def generate_password(length=20):
-    """Generate a random sequence of letters and digits
-    to be used as a password. Note that this is not intended
-    to represent the ultimate in security.
+    """Generate a random alphanumeric password, avoiding 'confusing' O,0,I,1.
+
+    Believed to be reasonably secure (with a reasonable password length!)
     """
-    chrs = string.letters + string.digits
-    return "".join([random.choice(chrs) for i in xrange(length)])
+    # 26 letters, 10 digits = 36
+    # Remove O, 0, I, 1 => 32 digits
+    # 32 digits means we're just using the low 5 bit of each byte
+    chrs = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"
+
+    random_bytes = os.urandom(length)
+    return "".join([chrs[ord(random_bytes[i]) % 32] for i in xrange(length)])
 
 
 def last_octet(address):
-- 
cgit