cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <...@li.nux.ro>
Subject Re: vm.password.length issue in 4.4.1-SNAPSHOT
Date Sat, 25 Oct 2014 10:07:32 GMT
Amogh,

I know. In reality it will be used by people until the end of time, you know how it is.
It's not costing us anything to default to better values rather than just wash our hands of
it.

My 2 pence

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Amogh Vasekar" <amogh.vasekar@citrix.com>
> To: dev@cloudstack.apache.org
> Cc: "laszlo hornyak" <laszlo.hornyak@gmail.com>
> Sent: Saturday, 25 October, 2014 01:41:47
> Subject: Re: vm.password.length issue in 4.4.1-SNAPSHOT

> Do note that the password generated here is considered temporary, as
> previously pointed out by Chiradeep in another thread.
> 
> Thanks
> Amogh
> 
> On 10/24/14 5:31 PM, "Nux!" <nux@li.nux.ro> wrote:
> 
>>Imho, considering the password is not very secure (it's missing symbols),
>>we should increase the length.
>>For my personal stuff I default to 15 chars.
>>
>>--
>>Sent from the Delta quadrant using Borg technology!
>>
>>Nux!
>>www.nux.ro
>>
>>----- Original Message -----
>>> From: "Amogh Vasekar" <amogh.vasekar@citrix.com>
>>> To: dev@cloudstack.apache.org
>>> Cc: "laszlo hornyak" <laszlo.hornyak@gmail.com>
>>> Sent: Saturday, 25 October, 2014 00:37:07
>>> Subject: Re: vm.password.length issue in 4.4.1-SNAPSHOT
>>
>>> Hi Laszlo,
>>> 
>>> Any comments on the below? I agree adding 3 characters is a bug and
>>> willing to fix it.
>>> 
>>> In addition, Ian, I believe we should set a minimum allowed value for
>>>the
>>> config value vm.password.length. Any objections to setting the minimum
>>>to
>>> 8, the previous default?
>>> 
>>> Thanks
>>> Amogh
>>> 
>>> On 10/13/14 5:34 PM, "Ian Duffy" <ian@ianduffy.ie> wrote:
>>> 
>>>>The only other usage of it is within
>>>>server/src/com/cloud/server/ConfigurationServerImpl.java
>>>>Its used for creating a Secondary storage vm copy password.
>>>>
>>>>I'm seeing absolutely no reason why we have 3 values going in no matter
>>>>what, I'm willing to say its a bug. I'm curious to why the tests are
>>>>written to deal with it though....
>>>>
>>>>On 14 October 2014 00:26, Nux! <nux@li.nux.ro> wrote:
>>>>
>>>>> Well, it's a bit messy, but still better than the old password length.
>>>>> Ideally this should get clarified/fixed, but for now I am happy with
>>>>>my
>>>>> long+3 password! :)
>>>>>
>>>>>
>>>>> Cheers,
>>>>> Lucian
>>>>>
>>>>> --
>>>>> Sent from the Delta quadrant using Borg technology!
>>>>>
>>>>> Nux!
>>>>> www.nux.ro
>>>>>
>>>>> ----- Original Message -----
>>>>> > From: "Ian Duffy" <ian@ianduffy.ie>
>>>>> > To: "CloudStack Dev" <dev@cloudstack.apache.org>
>>>>> > Cc: "laszlo hornyak" <laszlo.hornyak@gmail.com>
>>>>> > Sent: Monday, 13 October, 2014 19:54:53
>>>>> > Subject: Re: vm.password.length issue in 4.4.1-SNAPSHOT
>>>>>
>>>>> > Hey Nux,
>>>>> >
>>>>> > So I passed this work off to a util class that was already present
>>>>>in
>>>>>the
>>>>> > code base "PasswordGenerator"
>>>>> >
>>>>> >    @Override
>>>>> >    public String generateRandomPassword() {
>>>>> >        Integer passwordLength =
>>>>> > Integer.parseInt(_configDao.getValue("vm.password.length"));
>>>>> >        return
>>>>>PasswordGenerator.generateRandomPassword(passwordLength);
>>>>> >    }
>>>>> >
>>>>> > Not a clue why but the generateRandomPassword method creates a
>>>>>random
>>>>> > 3-character string first then loops through to generate n random
>>>>> characters.
>>>>> >
>>>>> >    public static String generateRandomPassword(int num) {
>>>>> >        Random r = new SecureRandom();
>>>>> >        StringBuilder password = new StringBuilder();
>>>>> >
>>>>> >        // Generate random 3-character string with a lowercase
>>>>>character,
>>>>> >        // uppercase character, and a digit
>>>>> >
>>>>> >
>>>>> 
>>>>>password.append(generateLowercaseChar(r)).append(generateUppercaseChar(
>>>>>r)
>>>>>).append(generateDigit(r));
>>>>> >
>>>>> >        // Generate a random n-character string with only lowercase
>>>>> >        // characters
>>>>> >        for (int i = 0; i < num; i++) {
>>>>> >            password.append(generateLowercaseChar(r));
>>>>> >        }
>>>>> >
>>>>> >        return password.toString();
>>>>> >    }
>>>>> >
>>>>> > The unit tests seem to accommodate for this aswell:
>>>>> >
>>>>> >        // actual length is requested length + 3
>>>>> >
>>>>> > 
>>>>>Assert.assertTrue(PasswordGenerator.generateRandomPassword(0).length()
>>>>>==
>>>>> > 3);
>>>>> >
>>>>> > 
>>>>>Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length()
>>>>>==
>>>>> > 4);
>>>>> >
>>>>> > I'm guessing there's some reasoning for this.... CCing Laszlo who
>>>>> according
>>>>> > to git log did some work on this class.
>>>>> >
>>>>> > Thanks,
>>>>> >
>>>>> > Ian
>>>>> >
>>>>> > On 13 October 2014 19:39, Nux! <nux@li.nux.ro> wrote:
>>>>> >
>>>>> >> Hello,
>>>>> >>
>>>>> >> First of all "THANKS!" to whoever made this feature happen (Ian
I
>>>>> guess).
>>>>> >> Now we can set more secure passwords generated for our instances.
>>>>> >>
>>>>> >> Second, the feature works, but with a small glitch, the number
>>>>>seems
>>>>>to
>>>>> be
>>>>> >> affected by some sort of offset. I.e. if I set the password
to be
>>>>>15
>>>>> chars
>>>>> >> in length then the generated password will actually be 18 chars.
>>>>> >> In order to get a 15 chars long passwd I had to set
>>>>>vm.password.length
>>>>> to
>>>>> >> 12. Bug or feature? :)
>>>>> >>
>>>>> >>
>>>>> >> Lucian
>>>>> >>
>>>>> >> --
>>>>> >> Sent from the Delta quadrant using Borg technology!
>>>>> >>
>>>>> >> Nux!
> >>>> >> www.nux.ro

Mime
View raw message