Actually it was the 4.5.0 release where I think the regression occurred, not 4.4.0,

I was able to edit /usr/lib/python2.7/site-packages/ipaserver/plugins/host.py with the following on line 686:

686 entropy_bits=TMP_PWD_ENTROPY_BITS, special=None)

This fixes the issue for me but it doesn't add any special characters at all to the random password

Could also just edit /usr/lib/python2.7/site-packages/ipapython/ipautil.py and limit the type of special characters it seems on line 834:

828 Example:
829 TokenGenerator(uppercase=3, lowercase=3, digits=0, special=None)
830
831 At least 3 upper and 3 lower case ASCII chars, may contain digits,
832 no special chars.
833 """
834 special_chars = '!$%&()*+,-./:;<>?@[]^_{|}~'
835 pwd_charsets = {
836 'uppercase': {
837 'chars': string.ascii_uppercase,
838 'entropy': math.log(len(string.ascii_uppercase), 2)
839 },
840 'lowercase': {

We are using Foreman with EC2 and the freeipa realm proxy

Here is a reference to the community template for freeipa client installation:

https://github.com/theforeman/community-templates/blob/develop/provisioning_templates/snippet/freeipa_register.erb

The issue for us is that we are using AWS EC2 instances and there is an open bug with Foreman on that:

http://projects.theforeman.org/issues/17292

To get around that, I have the following in the ipa-client-install section of that snippet:

# One-time password will be requested at install time. Otherwise, $HOST[OTP] is used as a placeholder value.
#/usr/sbin/ipa-client-install -w '<%= @host.otp || "$HOST[OTP]" %>'  --realm=<%= @host.realm %> -U $freeipa_mkhomedir $freeipa_opts $freeipa_server $freeipa_ssh
IPAOTP="<%= @host.otp %>" # this line isnt detemplated correctly unless we get it from curl
curl <%= foreman_url("user_data")%> | grep ^IPAOTP > /var/log/otp.log
.  /var/log/otp.log
# snip
/usr/sbin/ipa-client-install -w ${IPAOTP} $freeipa_mkhomedir $freeipa_opts --no-dns-sshfp --enable-dns-updates -f -U

The random OTP needs to be quoted in two places here, the IPAOTP variable declaration and the ipa-client-install invocation. I have added quotes to the latter and I have tested several builds until I saw a "&" character in the /var/log/otp.log. It seems that fixed the issue.

Re-opening. Requiring integrators to quote the password is a way to work around this but it is a change of behavior in IPA. I'd like to see some further discussion.

It seems a variable was added in 4-5-0 for entropy bits and I assume the higher that is, the harder it is to crack the password. Would a higher entropy value for the host_add OTP help mitigate security concerns for the lack of special characters?

Right, so setting special=None will generate a longer password to compensate. I'm leaning towards your suggestion of special=None for the host OTP.

PR: https://github.com/freeipa/freeipa/pull/1505

I guess assign this to me until a decision is made? Not sure what the protocol is.

Sure go ahead and take it. I think we need a discussion on freeipa-devel list about this, can you start it?

I am sorry I have looked all over and I can't see a way to "take" this issue.

master:

• eaa5be3 Remove special characters in host_add random OTP generation

ipa-4-6:

• 511fa05 Remove special characters in host_add random OTP generation