Univention Bugzilla – Bug 31281
machine secret hard-coded to 8 characters (or less)
Last modified: 2021-01-13 08:07:02 CET
management/univention-ldap/10univention-ldap-server.inst:95: computerPassword=$(makepasswd --chars 8) management/univention-join/univention-server-join:336: computerPassword="$(makepasswd --chars=8)" base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:122: echo -n "$(makepasswd)" > /etc/ldap.secret base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:123: echo -n "$(makepasswd)" > /etc/ldap-backup.secret base/univention-server/server_password_change:84: new_password=$(makepasswd --chars 8) base/univention-server/debian/univention-server-master.preinst:55: echo -n "$(makepasswd)" > /etc/ldap.secret base/univention-server/debian/univention-server-master.preinst:61: echo -n "$(makepasswd)" > /etc/ldap-backup.secret Should probably be configurable through an UCR variable. Would probably help to unify the password generation instead of spreading the procedure over multiple packages and doing it slightly different.
Part of Bug #31648
Complexity requirements should be configurable as well, see e.g. Bug 31649.
univention-lib: added function create_machine_password and dependency to pwgen added py function univention.lib.createMachinePassword() univention-base-files: added ucr description for machine/password/complexity and machine/password/length univention-ssl: added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd univention-server: added dependency to shell-univention-lib (>= 3.0.1-1, master, backup, slave, member) and replaced makepasswd univention-system-setup: added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd univention-mail-cyrus: added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd univention-horde4: added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd univention-ldap: added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd univention-join: added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd univention-pkgdb: added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd univention-samba4: added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd univention-squid-kerberos: added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd univention-printquota: added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd univention-s4-connector: added dependency to python-univention-lib (>= 3.0.1-2) and replaced makepasswd QA: check the modified packages and look for any other usage of makepasswd
Maybe we could also use --symbols (-y) for pwgen if machine/password/complexity is enabeld (Hopefully all shell scripts are fit for this..).
1. cite `man pwgen`: The pwgen program generates passwords which are designed to be *easily memorized by humans*. but /etc/machine.secrets is not supposed to be entered by humans ever. So this reduces the strength of the password, which needs to be compensated by increasing the password length. 2. »echo "$(pwgen ...)"« can be simplified to just »pwgen ...«; no »echo "$(...)"« needed! The output is also visible in the process list; see Bug #20610, Bug #20611.
From a UCS 3.2 test instance: __MSG__:Configure 98univention-samba4-dns __STEP__:39 Configure /usr/lib/univention-install/98univention-samba4-dns.inst Waiting for RID Pool replication: done. /usr/share/univention-samba4/scripts/create_spn_account.sh: line 107: create_machine_password: command not found /usr/lib/python2.6/getpass.py:83: GetPassWarning: Can not control echo on the terminal. passwd = fallback_getpass(prompt, stream) Warning: Password input may be echoed. New Password: ERROR(<type 'exceptions.EOFError'>): uncaught exception - File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.6/dist-packages/samba/netcmd/user.py", line 131, in run password = getpass("New Password: ") File "/usr/lib/python2.6/getpass.py", line 83, in unix_getpass passwd = fallback_getpass(prompt, stream) File "/usr/lib/python2.6/getpass.py", line 118, in fallback_getpass return _raw_input(prompt, stream) File "/usr/lib/python2.6/getpass.py", line 135, in _raw_input raise EOFError
The requirements imposed by Microsoft/Samba password complexity checks must be met, see the function check_password_quality in http://gitweb.samba.org/samba.git/?p=samba.git;a=blob;f=lib/util/genrand.c;h=3dfaf089d16c4afdf25ead27391ce3835ba4b082;hb=HEAD#l300
(In reply to Philipp Hahn from comment #5) > 1. cite `man pwgen`: The pwgen program generates passwords which are > designed to be *easily memorized by humans*. > but /etc/machine.secrets is not supposed to be entered by humans ever. So > this reduces the strength of the password, which needs to be compensated by > increasing the password length. we use the pwgen option "-s" as default -> man pwgen -s, --secure Generate completely random, hard-to-memorize passwords. These should only be used for machine passwords, ... > > 2. »echo "$(pwgen ...)"« can be simplified to just »pwgen ...«; no »echo > "$(...)"« needed! > The output is also visible in the process list; see Bug #20610, Bug #20611. OK (In reply to Arvid Requate from comment #7) > The requirements imposed by Microsoft/Samba password complexity checks must > be met, see the function check_password_quality in > > http://gitweb.samba.org/samba.git/?p=samba.git;a=blob;f=lib/util/genrand.c; > h=3dfaf089d16c4afdf25ead27391ce3835ba4b082;hb=HEAD#l300 I think we have * Uppercase characters of European languages * Lowercase characters of European languages * Base 10 digits that should be enough. The "y" option could lead to passwords with backticks and this would break at least univention-pkgdb.
When upgrading from 3.1-1 to 3.2-0 I get a lot of Traceback (most recent call last): File "", line 8, in File "/usr/lib/pymodules/python2.6/univention/lib/__init__.py", line 38, in from univention.lib.misc import * ImportError: No module named misc Server seems to be working, though.
(In reply to Dirk Wiesenthal from comment #9) > When upgrading from 3.1-1 to 3.2-0 I get a lot of > > Traceback (most recent call last): > File "", line 8, in > File "/usr/lib/pymodules/python2.6/univention/lib/__init__.py", line 38, in > from univention.lib.misc import * > ImportError: No module named misc > > Server seems to be working, though. → Reopen.
*** Bug 32058 has been marked as a duplicate of this bug. ***
(In reply to Stefan Gohmann from comment #11) > *** Bug 32058 has been marked as a duplicate of this bug. *** See that bug for the right fix.
Wait until Felix is back.
management/univention-join/univention-server-join:33 . /usr/share/univention-lib/all.sh base/univention-lib/shell/all.sh:4 . /usr/share/univention-lib/umc.sh base/univention-lib/shell/umc.sh:35 eval "$(ucr shell ldap/base)" Since univention-server-join is called by the user "Administrator", which does not have "/usr/sbin/" in her "$PATH", joining a system during an PXE installation (Bug #32228) print the following message because "ucr" is not found: * Join failed! * Message: /usr/share/univention-lib/umc.sh: line 35: ucr: command not found
(In reply to Dirk Wiesenthal from comment #9) > When upgrading from 3.1-1 to 3.2-0 I get a lot of > > Traceback (most recent call last): > File "", line 8, in > File "/usr/lib/pymodules/python2.6/univention/lib/__init__.py", line 38, in > from univention.lib.misc import * > ImportError: No module named misc > > Server seems to be working, though. ucs-3.2/ucs-3.2-0/base/univention-lib: try/except ImportError for univention.lib.misc in __init__.py (Bug #31281) (In reply to Philipp Hahn from comment #14) > management/univention-join/univention-server-join:33 > . /usr/share/univention-lib/all.sh > base/univention-lib/shell/all.sh:4 > . /usr/share/univention-lib/umc.sh > base/univention-lib/shell/umc.sh:35 > eval "$(ucr shell ldap/base)" > > Since univention-server-join is called by the user "Administrator", which > does not have "/usr/sbin/" in her "$PATH", joining a system during an PXE > installation (Bug #32228) print the following message because "ucr" is not > found: > > * Join failed! > * Message: /usr/share/univention-lib/umc.sh: line 35: ucr: command not found ucs-3.2/ucs-3.2-0/management/univention-join: PATH was already set to "/sbin:/usr/sbin:..." in univention-server-join but after the shell imports, fixed that. +export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin" + . /usr/share/univention-lib/all.sh -export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin" -
OK: r41267,41269-41271,41277-41279,41281,41286,41303,41397,41398,43933 OK: ChangeLog r41292,43936 OK: shell: create_machine_password() FAIL: Python createMachinePassword missing dependency on pwgen Package: shell-univention-lib Depends: python-univention-config-registry (>= 8.0.2-1), python-univention-lib (>= 3.0.12-4), pwgen Package: python-univention-lib Depends: python (<< 2.7), python (>= 2.6), python-support (>= 0.90.0), python2.6 OK: univention-ldap OK: univention-join OK: univention-system-setup OK: univention-server OK: univention-ssl OK: univention-base-files.univention-config-registry-variables OK: univention-mail-cyrus OK: univention-pkgdb OK: univention-printquota OK: univention-s4-connector OK: univention-samba4 OK: univention-squid-kerberos OK: git grep makepasswd FAIL: comment 5 There are several locations were "echo -n $(...)" is still used, since $(pwgen) outputs a trailing new-line, which /etc/ldap.secret should not contain. Could be perhaps solved by changing create_machine_password to be something like this: "pwgen ... | tr -d '\n'"? base/univention-server/debian/univention-server-master.preinst:57 base/univention-server/debian/univention-server-master.preinst:63 base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:123 base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:124 OK: comment 7 OK: comment 9 OK: comment 14
(In reply to Philipp Hahn from comment #16) > FAIL: Python createMachinePassword > missing dependency on pwgen added dependency to pwgen in python-univention-lib (Bug #31281) > FAIL: comment 5 > There are several locations were "echo -n $(...)" is still used, since > $(pwgen) outputs a trailing new-line, which /etc/ldap.secret should not > contain. Could be perhaps solved by changing create_machine_password to be > something like this: "pwgen ... | tr -d '\n'"? added "pwgen ... | tr -d '\n'" in base.sh:create_machine_password
(In reply to Felix Botner from comment #17) > (In reply to Philipp Hahn from comment #16) > > > FAIL: Python createMachinePassword > > missing dependency on pwgen > > added dependency to pwgen in python-univention-lib (Bug #31281) OK: r44168 OK: dpkg -f python-univention-lib_3.0.13-2.171.201309180919_all.deb Depends > > FAIL: comment 5 > added "pwgen ... | tr -d '\n'" in base.sh:create_machine_password OK: r44170 OK: create_machine_password | xxd -g1 OK: 3.0.13-2.171.201309180919
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".