389-ds-base

Clone
Source Code
GIT

#49643 Issue 49642 - lib389 should generate a more complex password
Closed 3 years ago by spichugi. Opened 6 years ago by spichugi.
spichugi/389-ds-base pwd_gen  into  master

file modified
+39 -2 
@@ -18,6 +18,19 @@ 
 

  

  # How do we feed our prefix into this?
 

  def password_hash(pw, scheme=None, bin_dir='/bin'):
 

+     """Generate a password hash using pwdhash tool
 

+ 

+     :param pw: the password
 

+     :type pw: str
 

+     :param scheme: password scheme to be used
 

+         (e.g. MD5, SHA1, SHA256, SHA512, SSHA, SSHA256, SSHA512)
 

+     :type scheme: str
 

+     :param bin_dir: a path to the directory with pwdhash tool
 

+     :type bin_dir: str
 

+ 

+     :returns: a string with a password hash
 

+     """
 

+ 

      # Check that the binary exists
 

      pwdhashbin = os.path.join(bin_dir, 'pwdhash')
 

      assert(os.path.isfile(pwdhashbin))
 
@@ -29,6 +42,30 @@ 
 

  

  

  def password_generate(length=64):
 

-     pw = [random.choice(string.ascii_letters) for x in range(length - 1)]
 

-     pw.append('%s' % random.randint(0, 9))
 

+     """Generate a complex password with at least
 

+     one upper case letter, a lower case letter, a digit
 

+     and a special character
 

+ 

+     :param length: a password length
 

+     :type length: int
 

+ 

+     :returns: a string with a password
 

+     """
 

+ 

+     # We have exactly 64 characters because it makes the selection unbiased
 

+     # The number of possible values for a byte is 256 which is a multiple of 64
 

+     # Maybe it is an overkill for our case but it can come handy one day
 

+     # (especially consider the fact we can use it for CLI tools)
 

+     chars = string.ascii_letters + string.digits + '*&'
 

+ 

+     # Get the minimal requirements
 

+     pw = [random.choice(string.ascii_lowercase),
 

+           random.choice(string.ascii_uppercase),
 

+           random.choice(string.digits),
 

+           '!']
 

+ 

+     # Use the simple algorithm to generate more or less secure password
 

+     for i in range(length - 3):
 

+         pw.append(chars[os.urandom(1)[0] % len(chars)])
 

+     random.shuffle(pw)
 

      return "".join(pw)

Bug description: New NSS versions require a password to be more complex.
The password should be at least 7 characters long,
and should consist of at least three character classes.
The available character classes are: digits (0-9), ASCII
lowercase letters, ASCII uppercase letters, ASCII
non-alphanumeric characters, and non-ASCII characters.

Fix description: Refactor password_generate function
so it fullfils the minimal requirements. Also, make
the fuction generate more secure password.
Add the docstrings to the passwd.py module.

https://pagure.io/389-ds-base/issue/49642

Reviewed by: ?

rebased onto 4b68ef07dd86b5cfa2bdaa20578d00b343b33206
6 years ago

Looks good

rebased onto d357888
6 years ago

Pull-Request has been merged by spichugi
6 years ago

Just want to point out, this isn't really a needed change. Password length matters more than "complexity". Even knowing this is all lowercase, at 64 chars long, that's 36893488147419103232 possible combinations just of lower case letters.

Sure, I agree.
The main reason for the patch was that we need 'at least three character classes.' in the password now. The tests were failing.

And regarding the rest of the change, as I've mentioned in the comment:

# Maybe it is an overkill for our case but it can come handy one day
# (especially consider the fact we can use it for CLI tools)

So I can imagine that one day someone can use the code or the function for the generating his own password (Directory Manager, for instance, and the password will have less charaters because it will be for personal use).

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/2702

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi
3 years ago
Metadata
None
No Tags
Changes Summary 1
+39 -2
file changed
src/lib389/lib389/passwd.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.