Univention Bugzilla – Attachment 10905 Details for
Bug 52575
machine/password/length of 28 or larger causes core dump in univention.license
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch suggestion, including default password lenght
machine-password-length.patch (text/plain), 8.30 KB, created by
Gino Harlos
on 2022-01-16 10:11:17 CET
(
hide
)
Description:
Patch suggestion, including default password lenght
Filename:
MIME Type:
Creator:
Gino Harlos
Created:
2022-01-16 10:11:17 CET
Size:
8.30 KB
patch
obsolete
>diff --git a/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables b/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables >index 49a20a6f7e..06ea646963 100644 >--- a/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables >+++ b/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables >@@ -1178,8 +1178,8 @@ Type=str > Categories=service-base > > [machine/password/length] >-Description[de]=Das Passwort des Rechnerkontos wird in der Regel automatisch erstellt und rotiert. Es wird in der Datei /etc/machine.secret gespeichert. Diese Variable konfiguriert die Länge des generierten Passworts. Ist die Variable nicht gesetzt, ist das Passwort 20 Zeichen lang. >-Description[en]=The password for the computer account is usually automatically created and rotated. It is stored in the file /etc/machine.secret. This variable configures the length of the generated password. If the variable is unset, the password consists of 20 characters. >+Description[de]=Das Passwort des Rechnerkontos wird in der Regel automatisch erstellt und rotiert. Es wird in der Datei /etc/machine.secret gespeichert. Diese Variable konfiguriert die Länge des generierten Passworts. Ist die Variable nicht gesetzt, ist das Passwort 32 Zeichen lang. >+Description[en]=The password for the computer account is usually automatically created and rotated. It is stored in the file /etc/machine.secret. This variable configures the length of the generated password. If the variable is unset, the password consists of 32 characters. > Type=int > Categories=service-base > >diff --git a/base/univention-lib/python/misc.py b/base/univention-lib/python/misc.py >index 585ed5007a..7bb532035c 100644 >--- a/base/univention-lib/python/misc.py >+++ b/base/univention-lib/python/misc.py >@@ -48,7 +48,7 @@ def createMachinePassword(): > """ > ucr = ConfigRegistry() > ucr.load() >- length = ucr.get('machine/password/length', '20') >+ length = ucr.get('machine/password/length', '32') > compl = ucr.get('machine/password/complexity', 'scn') > p = subprocess.Popen(["pwgen", "-1", "-" + compl, length], stdout=subprocess.PIPE, stderr=subprocess.PIPE) > (stdout, stderr) = p.communicate() >diff --git a/base/univention-lib/shell/base.sh b/base/univention-lib/shell/base.sh >index 52806fd7cc..644950d6de 100644 >--- a/base/univention-lib/shell/base.sh >+++ b/base/univention-lib/shell/base.sh >@@ -145,7 +145,7 @@ create_machine_password () { > local length compl > length="$(/usr/sbin/univention-config-registry get machine/password/length)" > compl="$(/usr/sbin/univention-config-registry get machine/password/complexity)" >- pwgen -1 -"${compl:-scn}" "${length:-20}" | tr -d '\n' >+ pwgen -1 -"${compl:-scn}" "${length:-32}" | tr -d '\n' > } > > # >diff --git a/base/univention-licence/lib/license_ldap.c b/base/univention-licence/lib/license_ldap.c >index 0de0ba2431..ed33c52ccd 100644 >--- a/base/univention-licence/lib/license_ldap.c >+++ b/base/univention-licence/lib/license_ldap.c >@@ -8,7 +8,7 @@ > > static univention_ldap_parameters_t *lp = NULL; > >-#define _UNIVENTION_LDAP_MACHINE_SECRET_LEN_MAX 60 >+#define _UNIVENTION_LDAP_MACHINE_SECRET_LEN_MAX 256 > int univention_ldap_set_machine_connection(univention_ldap_parameters_t *lp) { > FILE *secret; > size_t len; >diff --git a/base/univention-policy/lib/ldap.c b/base/univention-policy/lib/ldap.c >index 6d85cce72b..84f586faa7 100644 >--- a/base/univention-policy/lib/ldap.c >+++ b/base/univention-policy/lib/ldap.c >@@ -107,7 +107,7 @@ static int sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *in) > return LDAP_SUCCESS; > } > >-#define _UNIVENTION_LDAP_SECRET_LEN_MAX 27 >+#define _UNIVENTION_LDAP_SECRET_LEN_MAX 256 > int univention_ldap_set_admin_connection( univention_ldap_parameters_t *lp ) > { > FILE *secret; >diff --git a/doc/manual/computers-de.xml b/doc/manual/computers-de.xml >index 7884829988..7ee4c622b4 100644 >--- a/doc/manual/computers-de.xml >+++ b/doc/manual/computers-de.xml >@@ -26,7 +26,7 @@ > <para> > Das Passwort für das Rechnerkonto wird beim Domänenbeitritt automatisch erzeugt und in der > Datei <filename>/etc/machine.secret</filename> gespeichert. Das Passwort umfasst in der >- Grundeinstellung 20 Zeichen (konfigurierbar über die &ucsUCRV; <envar>machine/password/length</envar>). >+ Grundeinstellung 32 Zeichen (konfigurierbar über die &ucsUCRV; <envar>machine/password/length</envar>). > Das Passwort wird in festen Intervallen automatisch > neu generiert (in der Grundeinstellung 21 Tage, konfigurierbar über die > &ucsUCRV; <envar>server/password/interval</envar>). Die Passwortrotation kann über die >diff --git a/doc/manual/computers-en.xml b/doc/manual/computers-en.xml >index cef03685a6..3ef9b11bdf 100644 >--- a/doc/manual/computers-en.xml >+++ b/doc/manual/computers-en.xml >@@ -27,7 +27,7 @@ > <para> > The password for the computer account is generated automatically during the domain join and > saved in the <filename>/etc/machine.secret</filename> file. By default the >- password consists of 20 characters (can be configured via the &ucsUCRV; >+ password consists of 32 characters (can be configured via the &ucsUCRV; > <envar>machine/password/length</envar>). The password is regenerated > automatically at fixed intervals (default setting: 21 days; can be configured using the > &ucsUCRV; <envar>server/password/interval</envar>). Password rotation can also be disabled >diff --git a/management/univention-appcenter/scripts/joinscripthelper.sh b/management/univention-appcenter/scripts/joinscripthelper.sh >index ef31887cfd..c5804d42c2 100644 >--- a/management/univention-appcenter/scripts/joinscripthelper.sh >+++ b/management/univention-appcenter/scripts/joinscripthelper.sh >@@ -40,8 +40,9 @@ CONTAINER=$(ucr get "$ucr_container_key") > joinscript_add_simple_app_system_user () { > local password > local pwdfile >+ eval "$(ucr shell machine/password/length)" > >- password="$(makepasswd)" >+ password="$(makepasswd --chars=${machine_password_length:-32})" > pwdfile="/etc/$APP.secret" > joinscript_run_in_container touch "$pwdfile" > joinscript_run_in_container chmod 600 "$pwdfile" >diff --git a/management/univention-self-service/35univention-self-service-passwordreset-umc.inst b/management/univention-self-service/35univention-self-service-passwordreset-umc.inst >index 44fe14c0d3..0b66bcba8b 100755 >--- a/management/univention-self-service/35univention-self-service-passwordreset-umc.inst >+++ b/management/univention-self-service/35univention-self-service-passwordreset-umc.inst >@@ -60,7 +60,7 @@ if [ "$server_role" = "domaincontroller_master" -o "$server_role" = "domaincontr > DB_SECRET_FILE="/etc/self-service-db.secret" > if [ ! -f $DB_SECRET_FILE ]; then > echo "Generating new DB password..." >- selfservice_pwd="$(makepasswd --chars 20)" >+ selfservice_pwd="$(makepasswd --chars=${machine_password_length:-32})" > touch "$DB_SECRET_FILE" > chown root:root "$DB_SECRET_FILE" > chmod 600 "$DB_SECRET_FILE" >diff --git a/saml/univention-saml/91univention-saml.inst b/saml/univention-saml/91univention-saml.inst >index c7fe12a332..acf90d87cc 100755 >--- a/saml/univention-saml/91univention-saml.inst >+++ b/saml/univention-saml/91univention-saml.inst >@@ -134,7 +134,7 @@ if [ "$server_role" = "domaincontroller_master" ]; then > # Only set password if sys-idp-user does not exist > username=$(ucs_getAttrOfDN uid uid=sys-idp-user,cn=users,"$ldap_base" "$@" 2>/dev/null) > if [ ! "$username" = "sys-idp-user" ]; then >- PASSWORD=$(makepasswd --chars=20) >+ PASSWORD=$(makepasswd --chars=${machine_password_length:-32}) > touch "$SECRETFILE" > chown root:"DC Backup Hosts" "$SECRETFILE" > chmod 640 "$SECRETFILE" >diff --git a/services/univention-mariadb/debian/univention-mariadb.postinst b/services/univention-mariadb/debian/univention-mariadb.postinst >index e888e640cd..fb7f38bed1 100644 >--- a/services/univention-mariadb/debian/univention-mariadb.postinst >+++ b/services/univention-mariadb/debian/univention-mariadb.postinst >@@ -39,10 +39,11 @@ test_mysql_access() { > > create_mysql_secret_if_not_exists () { > if [ ! -e /etc/mysql.secret ]; then >+ eval "$(ucr shell machine/password/length 2>/dev/null || /bin/true)" > touch /etc/mysql.secret > chmod 600 /etc/mysql.secret > chown root /etc/mysql.secret >- makepasswd --nocrypt --chars=20 >> /etc/mysql.secret >+ makepasswd --nocrypt --chars=${machine_password_length:-32} >> /etc/mysql.secret > fi > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10905">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 52575
:
10589
| 10905