diff --git a/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables b/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables index 49a20a6f7e..06ea646963 100644 --- a/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables +++ b/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables @@ -1178,8 +1178,8 @@ Type=str Categories=service-base [machine/password/length] -Description[de]=Das Passwort des Rechnerkontos wird in der Regel automatisch erstellt und rotiert. Es wird in der Datei /etc/machine.secret gespeichert. Diese Variable konfiguriert die Länge des generierten Passworts. Ist die Variable nicht gesetzt, ist das Passwort 20 Zeichen lang. -Description[en]=The password for the computer account is usually automatically created and rotated. It is stored in the file /etc/machine.secret. This variable configures the length of the generated password. If the variable is unset, the password consists of 20 characters. +Description[de]=Das Passwort des Rechnerkontos wird in der Regel automatisch erstellt und rotiert. Es wird in der Datei /etc/machine.secret gespeichert. Diese Variable konfiguriert die Länge des generierten Passworts. Ist die Variable nicht gesetzt, ist das Passwort 32 Zeichen lang. +Description[en]=The password for the computer account is usually automatically created and rotated. It is stored in the file /etc/machine.secret. This variable configures the length of the generated password. If the variable is unset, the password consists of 32 characters. Type=int Categories=service-base diff --git a/base/univention-lib/python/misc.py b/base/univention-lib/python/misc.py index 585ed5007a..7bb532035c 100644 --- a/base/univention-lib/python/misc.py +++ b/base/univention-lib/python/misc.py @@ -48,7 +48,7 @@ def createMachinePassword(): """ ucr = ConfigRegistry() ucr.load() - length = ucr.get('machine/password/length', '20') + length = ucr.get('machine/password/length', '32') compl = ucr.get('machine/password/complexity', 'scn') p = subprocess.Popen(["pwgen", "-1", "-" + compl, length], stdout=subprocess.PIPE, stderr=subprocess.PIPE) (stdout, stderr) = p.communicate() diff --git a/base/univention-lib/shell/base.sh b/base/univention-lib/shell/base.sh index 52806fd7cc..644950d6de 100644 --- a/base/univention-lib/shell/base.sh +++ b/base/univention-lib/shell/base.sh @@ -145,7 +145,7 @@ create_machine_password () { local length compl length="$(/usr/sbin/univention-config-registry get machine/password/length)" compl="$(/usr/sbin/univention-config-registry get machine/password/complexity)" - pwgen -1 -"${compl:-scn}" "${length:-20}" | tr -d '\n' + pwgen -1 -"${compl:-scn}" "${length:-32}" | tr -d '\n' } # diff --git a/base/univention-licence/lib/license_ldap.c b/base/univention-licence/lib/license_ldap.c index 0de0ba2431..ed33c52ccd 100644 --- a/base/univention-licence/lib/license_ldap.c +++ b/base/univention-licence/lib/license_ldap.c @@ -8,7 +8,7 @@ static univention_ldap_parameters_t *lp = NULL; -#define _UNIVENTION_LDAP_MACHINE_SECRET_LEN_MAX 60 +#define _UNIVENTION_LDAP_MACHINE_SECRET_LEN_MAX 256 int univention_ldap_set_machine_connection(univention_ldap_parameters_t *lp) { FILE *secret; size_t len; diff --git a/base/univention-policy/lib/ldap.c b/base/univention-policy/lib/ldap.c index 6d85cce72b..84f586faa7 100644 --- a/base/univention-policy/lib/ldap.c +++ b/base/univention-policy/lib/ldap.c @@ -107,7 +107,7 @@ static int sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *in) return LDAP_SUCCESS; } -#define _UNIVENTION_LDAP_SECRET_LEN_MAX 27 +#define _UNIVENTION_LDAP_SECRET_LEN_MAX 256 int univention_ldap_set_admin_connection( univention_ldap_parameters_t *lp ) { FILE *secret; diff --git a/doc/manual/computers-de.xml b/doc/manual/computers-de.xml index 7884829988..7ee4c622b4 100644 --- a/doc/manual/computers-de.xml +++ b/doc/manual/computers-de.xml @@ -26,7 +26,7 @@ Das Passwort für das Rechnerkonto wird beim Domänenbeitritt automatisch erzeugt und in der Datei /etc/machine.secret gespeichert. Das Passwort umfasst in der - Grundeinstellung 20 Zeichen (konfigurierbar über die &ucsUCRV; machine/password/length). + Grundeinstellung 32 Zeichen (konfigurierbar über die &ucsUCRV; machine/password/length). Das Passwort wird in festen Intervallen automatisch neu generiert (in der Grundeinstellung 21 Tage, konfigurierbar über die &ucsUCRV; server/password/interval). Die Passwortrotation kann über die diff --git a/doc/manual/computers-en.xml b/doc/manual/computers-en.xml index cef03685a6..3ef9b11bdf 100644 --- a/doc/manual/computers-en.xml +++ b/doc/manual/computers-en.xml @@ -27,7 +27,7 @@ The password for the computer account is generated automatically during the domain join and saved in the /etc/machine.secret file. By default the - password consists of 20 characters (can be configured via the &ucsUCRV; + password consists of 32 characters (can be configured via the &ucsUCRV; machine/password/length). The password is regenerated automatically at fixed intervals (default setting: 21 days; can be configured using the &ucsUCRV; server/password/interval). Password rotation can also be disabled diff --git a/management/univention-appcenter/scripts/joinscripthelper.sh b/management/univention-appcenter/scripts/joinscripthelper.sh index ef31887cfd..c5804d42c2 100644 --- a/management/univention-appcenter/scripts/joinscripthelper.sh +++ b/management/univention-appcenter/scripts/joinscripthelper.sh @@ -40,8 +40,9 @@ CONTAINER=$(ucr get "$ucr_container_key") joinscript_add_simple_app_system_user () { local password local pwdfile + eval "$(ucr shell machine/password/length)" - password="$(makepasswd)" + password="$(makepasswd --chars=${machine_password_length:-32})" pwdfile="/etc/$APP.secret" joinscript_run_in_container touch "$pwdfile" joinscript_run_in_container chmod 600 "$pwdfile" diff --git a/management/univention-self-service/35univention-self-service-passwordreset-umc.inst b/management/univention-self-service/35univention-self-service-passwordreset-umc.inst index 44fe14c0d3..0b66bcba8b 100755 --- a/management/univention-self-service/35univention-self-service-passwordreset-umc.inst +++ b/management/univention-self-service/35univention-self-service-passwordreset-umc.inst @@ -60,7 +60,7 @@ if [ "$server_role" = "domaincontroller_master" -o "$server_role" = "domaincontr DB_SECRET_FILE="/etc/self-service-db.secret" if [ ! -f $DB_SECRET_FILE ]; then echo "Generating new DB password..." - selfservice_pwd="$(makepasswd --chars 20)" + selfservice_pwd="$(makepasswd --chars=${machine_password_length:-32})" touch "$DB_SECRET_FILE" chown root:root "$DB_SECRET_FILE" chmod 600 "$DB_SECRET_FILE" diff --git a/saml/univention-saml/91univention-saml.inst b/saml/univention-saml/91univention-saml.inst index c7fe12a332..acf90d87cc 100755 --- a/saml/univention-saml/91univention-saml.inst +++ b/saml/univention-saml/91univention-saml.inst @@ -134,7 +134,7 @@ if [ "$server_role" = "domaincontroller_master" ]; then # Only set password if sys-idp-user does not exist username=$(ucs_getAttrOfDN uid uid=sys-idp-user,cn=users,"$ldap_base" "$@" 2>/dev/null) if [ ! "$username" = "sys-idp-user" ]; then - PASSWORD=$(makepasswd --chars=20) + PASSWORD=$(makepasswd --chars=${machine_password_length:-32}) touch "$SECRETFILE" chown root:"DC Backup Hosts" "$SECRETFILE" chmod 640 "$SECRETFILE" diff --git a/services/univention-mariadb/debian/univention-mariadb.postinst b/services/univention-mariadb/debian/univention-mariadb.postinst index e888e640cd..fb7f38bed1 100644 --- a/services/univention-mariadb/debian/univention-mariadb.postinst +++ b/services/univention-mariadb/debian/univention-mariadb.postinst @@ -39,10 +39,11 @@ test_mysql_access() { create_mysql_secret_if_not_exists () { if [ ! -e /etc/mysql.secret ]; then + eval "$(ucr shell machine/password/length 2>/dev/null || /bin/true)" touch /etc/mysql.secret chmod 600 /etc/mysql.secret chown root /etc/mysql.secret - makepasswd --nocrypt --chars=20 >> /etc/mysql.secret + makepasswd --nocrypt --chars=${machine_password_length:-32} >> /etc/mysql.secret fi }