cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <...@li.nux.ro>
Subject Re: vm.password.length issue in 4.4.1-SNAPSHOT
Date Sat, 25 Oct 2014 00:31:40 GMT
Imho, considering the password is not very secure (it's missing symbols), we should increase
the length.
For my personal stuff I default to 15 chars.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Amogh Vasekar" <amogh.vasekar@citrix.com>
> To: dev@cloudstack.apache.org
> Cc: "laszlo hornyak" <laszlo.hornyak@gmail.com>
> Sent: Saturday, 25 October, 2014 00:37:07
> Subject: Re: vm.password.length issue in 4.4.1-SNAPSHOT

> Hi Laszlo,
> 
> Any comments on the below? I agree adding 3 characters is a bug and
> willing to fix it.
> 
> In addition, Ian, I believe we should set a minimum allowed value for the
> config value vm.password.length. Any objections to setting the minimum to
> 8, the previous default?
> 
> Thanks
> Amogh
> 
> On 10/13/14 5:34 PM, "Ian Duffy" <ian@ianduffy.ie> wrote:
> 
>>The only other usage of it is within
>>server/src/com/cloud/server/ConfigurationServerImpl.java
>>Its used for creating a Secondary storage vm copy password.
>>
>>I'm seeing absolutely no reason why we have 3 values going in no matter
>>what, I'm willing to say its a bug. I'm curious to why the tests are
>>written to deal with it though....
>>
>>On 14 October 2014 00:26, Nux! <nux@li.nux.ro> wrote:
>>
>>> Well, it's a bit messy, but still better than the old password length.
>>> Ideally this should get clarified/fixed, but for now I am happy with my
>>> long+3 password! :)
>>>
>>>
>>> Cheers,
>>> Lucian
>>>
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>>
>>> Nux!
>>> www.nux.ro
>>>
>>> ----- Original Message -----
>>> > From: "Ian Duffy" <ian@ianduffy.ie>
>>> > To: "CloudStack Dev" <dev@cloudstack.apache.org>
>>> > Cc: "laszlo hornyak" <laszlo.hornyak@gmail.com>
>>> > Sent: Monday, 13 October, 2014 19:54:53
>>> > Subject: Re: vm.password.length issue in 4.4.1-SNAPSHOT
>>>
>>> > Hey Nux,
>>> >
>>> > So I passed this work off to a util class that was already present in
>>>the
>>> > code base "PasswordGenerator"
>>> >
>>> >    @Override
>>> >    public String generateRandomPassword() {
>>> >        Integer passwordLength =
>>> > Integer.parseInt(_configDao.getValue("vm.password.length"));
>>> >        return
>>>PasswordGenerator.generateRandomPassword(passwordLength);
>>> >    }
>>> >
>>> > Not a clue why but the generateRandomPassword method creates a random
>>> > 3-character string first then loops through to generate n random
>>> characters.
>>> >
>>> >    public static String generateRandomPassword(int num) {
>>> >        Random r = new SecureRandom();
>>> >        StringBuilder password = new StringBuilder();
>>> >
>>> >        // Generate random 3-character string with a lowercase
>>>character,
>>> >        // uppercase character, and a digit
>>> >
>>> >
>>> 
>>>password.append(generateLowercaseChar(r)).append(generateUppercaseChar(r)
>>>).append(generateDigit(r));
>>> >
>>> >        // Generate a random n-character string with only lowercase
>>> >        // characters
>>> >        for (int i = 0; i < num; i++) {
>>> >            password.append(generateLowercaseChar(r));
>>> >        }
>>> >
>>> >        return password.toString();
>>> >    }
>>> >
>>> > The unit tests seem to accommodate for this aswell:
>>> >
>>> >        // actual length is requested length + 3
>>> >
>>> > 
>>>Assert.assertTrue(PasswordGenerator.generateRandomPassword(0).length() ==
>>> > 3);
>>> >
>>> > 
>>>Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length() ==
>>> > 4);
>>> >
>>> > I'm guessing there's some reasoning for this.... CCing Laszlo who
>>> according
>>> > to git log did some work on this class.
>>> >
>>> > Thanks,
>>> >
>>> > Ian
>>> >
>>> > On 13 October 2014 19:39, Nux! <nux@li.nux.ro> wrote:
>>> >
>>> >> Hello,
>>> >>
>>> >> First of all "THANKS!" to whoever made this feature happen (Ian I
>>> guess).
>>> >> Now we can set more secure passwords generated for our instances.
>>> >>
>>> >> Second, the feature works, but with a small glitch, the number seems
>>>to
>>> be
>>> >> affected by some sort of offset. I.e. if I set the password to be 15
>>> chars
>>> >> in length then the generated password will actually be 18 chars.
>>> >> In order to get a 15 chars long passwd I had to set
>>>vm.password.length
>>> to
>>> >> 12. Bug or feature? :)
>>> >>
>>> >>
>>> >> Lucian
>>> >>
>>> >> --
>>> >> Sent from the Delta quadrant using Borg technology!
>>> >>
>>> >> Nux!
>>> >> www.nux.ro

Mime
View raw message