OpenStack Compute (nova)

Merge lp:~justin-fathomdb/nova/bug732277 into lp:~hudson-openstack/nova/trunk

  1. bug732277
  2. Merge into trunk
Proposed by justinsb
Status: Merged
Approved by: Devin Carlen
Approved revision: 805
Merged at revision: 810
Proposed branch: lp:~justin-fathomdb/nova/bug732277
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 63 lines (+19/-11)
3 files modified
nova/console/manager.py (+1/-1)
nova/console/xvp.py (+0/-4)
nova/utils.py (+18/-6)
To merge this branch: bzr merge lp:~justin-fathomdb/nova/bug732277
Reviewer Review Type Date Requested Status
Devin Carlen (community) Approve
Soren Hansen (community) Approve
Review via email: mp+53366@code.launchpad.net

Description of the change

Don't generate insecure passwords where it's easy to use urandom instead

To post a comment you must log in.
Revision history for this message
Soren Hansen (soren) wrote :

I think we should allow lowercase letters as well. I'm pretty confident the increase in key space will make up for the slight bias caused by not having the size of the key space be a power of two.

review: Needs Fixing
Revision history for this message
Soren Hansen (soren) wrote :

If you want to avoid the bias, you could randomise chrs (random.shuffle or something should be fine). Alternatively, replace the whole thing with random.SystemRandom.sample?

Revision history for this message
justinsb (justin-fathomdb) wrote :

Using random.SystemRandom - thanks for the suggestion. Avoids the whole need to get clever with the number of characters.

Symbol set not defaults to uppers and lowers with digits, with 0,O and I,l,1 removed. Can be specified via an optional parameter...

Revision history for this message
Soren Hansen (soren) wrote :

Looks good.

review: Approve
Revision history for this message
Devin Carlen (devcamcar) wrote :

lgtm

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'nova/console/manager.py'
2--- nova/console/manager.py 2011-02-21 07:16:10 +0000
3+++ nova/console/manager.py 2011-03-15 18:26:31 +0000
4@@ -69,7 +69,7 @@
5 except exception.NotFound:
6 logging.debug(_("Adding console"))
7 if not password:
8- password = self.driver.generate_password()
9+ password = utils.generate_password(8)
10 if not port:
11 port = self.driver.get_port(context)
12 console_data = {'instance_name': name,
13
14=== modified file 'nova/console/xvp.py'
15--- nova/console/xvp.py 2011-03-09 20:33:20 +0000
16+++ nova/console/xvp.py 2011-03-15 18:26:31 +0000
17@@ -91,10 +91,6 @@
18 """Trim password to length, and encode"""
19 return self._xvp_encrypt(password)
20
21- def generate_password(self, length=8):
22- """Returns random console password"""
23- return os.urandom(length * 2).encode('base64')[:length]
24-
25 def _rebuild_xvp_conf(self, context):
26 logging.debug(_("Rebuilding xvp conf"))
27 pools = [pool for pool in
28
29=== modified file 'nova/utils.py'
30--- nova/utils.py 2011-03-14 17:59:41 +0000
31+++ nova/utils.py 2011-03-15 18:26:31 +0000
32@@ -262,13 +262,25 @@
33 return ':'.join(map(lambda x: "%02x" % x, mac))
34
35
36-def generate_password(length=20):
37- """Generate a random sequence of letters and digits
38- to be used as a password. Note that this is not intended
39- to represent the ultimate in security.
40+# Default symbols to use for passwords. Avoids visually confusing characters.
41+# ~6 bits per symbol
42+DEFAULT_PASSWORD_SYMBOLS = ("23456789" # Removed: 0,1
43+ "ABCDEFGHJKLMNPQRSTUVWXYZ" # Removed: I, O
44+ "abcdefghijkmnopqrstuvwxyz") # Removed: l
45+
46+
47+# ~5 bits per symbol
48+EASIER_PASSWORD_SYMBOLS = ("23456789" # Removed: 0, 1
49+ "ABCDEFGHJKLMNPQRSTUVWXYZ") # Removed: I, O
50+
51+
52+def generate_password(length=20, symbols=DEFAULT_PASSWORD_SYMBOLS):
53+ """Generate a random password from the supplied symbols.
54+
55+ Believed to be reasonably secure (with a reasonable password length!)
56 """
57- chrs = string.letters + string.digits
58- return "".join([random.choice(chrs) for i in xrange(length)])
59+ r = random.SystemRandom()
60+ return "".join([r.choice(symbols) for _i in xrange(length)])
61
62
63 def last_octet(address):