cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Duffy <...@ianduffy.ie>
Subject Re: vm.password.length issue in 4.4.1-SNAPSHOT
Date Sat, 25 Oct 2014 00:59:43 GMT
>  I agree adding 3 characters is a bug and willing to fix it.

Me too...... I find it very worrying that the code base has tests that
cater for bugs to be valid input.
Really makes me wonder about the quality of the product.

Anyways... I did a grep of the codebase for usage of the method. Its not
used anywhere else... (Which does make me wonder why it existed in the
first place and if its functionality has been duplicated else where)

>  Any objections to setting the minimum to 8, the previous default?

No objections from me.

On 25 October 2014 01:41, Amogh Vasekar <amogh.vasekar@citrix.com> wrote:

> Do note that the password generated here is considered temporary, as
> previously pointed out by Chiradeep in another thread.
>
> Thanks
> Amogh
>
> On 10/24/14 5:31 PM, "Nux!" <nux@li.nux.ro> wrote:
>
> >Imho, considering the password is not very secure (it's missing symbols),
> >we should increase the length.
> >For my personal stuff I default to 15 chars.
> >
> >--
> >Sent from the Delta quadrant using Borg technology!
> >
> >Nux!
> >www.nux.ro
> >
> >----- Original Message -----
> >> From: "Amogh Vasekar" <amogh.vasekar@citrix.com>
> >> To: dev@cloudstack.apache.org
> >> Cc: "laszlo hornyak" <laszlo.hornyak@gmail.com>
> >> Sent: Saturday, 25 October, 2014 00:37:07
> >> Subject: Re: vm.password.length issue in 4.4.1-SNAPSHOT
> >
> >> Hi Laszlo,
> >>
> >> Any comments on the below? I agree adding 3 characters is a bug and
> >> willing to fix it.
> >>
> >> In addition, Ian, I believe we should set a minimum allowed value for
> >>the
> >> config value vm.password.length. Any objections to setting the minimum
> >>to
> >> 8, the previous default?
> >>
> >> Thanks
> >> Amogh
> >>
> >> On 10/13/14 5:34 PM, "Ian Duffy" <ian@ianduffy.ie> wrote:
> >>
> >>>The only other usage of it is within
> >>>server/src/com/cloud/server/ConfigurationServerImpl.java
> >>>Its used for creating a Secondary storage vm copy password.
> >>>
> >>>I'm seeing absolutely no reason why we have 3 values going in no matter
> >>>what, I'm willing to say its a bug. I'm curious to why the tests are
> >>>written to deal with it though....
> >>>
> >>>On 14 October 2014 00:26, Nux! <nux@li.nux.ro> wrote:
> >>>
> >>>> Well, it's a bit messy, but still better than the old password length.
> >>>> Ideally this should get clarified/fixed, but for now I am happy with
> >>>>my
> >>>> long+3 password! :)
> >>>>
> >>>>
> >>>> Cheers,
> >>>> Lucian
> >>>>
> >>>> --
> >>>> Sent from the Delta quadrant using Borg technology!
> >>>>
> >>>> Nux!
> >>>> www.nux.ro
> >>>>
> >>>> ----- Original Message -----
> >>>> > From: "Ian Duffy" <ian@ianduffy.ie>
> >>>> > To: "CloudStack Dev" <dev@cloudstack.apache.org>
> >>>> > Cc: "laszlo hornyak" <laszlo.hornyak@gmail.com>
> >>>> > Sent: Monday, 13 October, 2014 19:54:53
> >>>> > Subject: Re: vm.password.length issue in 4.4.1-SNAPSHOT
> >>>>
> >>>> > Hey Nux,
> >>>> >
> >>>> > So I passed this work off to a util class that was already present
> >>>>in
> >>>>the
> >>>> > code base "PasswordGenerator"
> >>>> >
> >>>> >    @Override
> >>>> >    public String generateRandomPassword() {
> >>>> >        Integer passwordLength =
> >>>> > Integer.parseInt(_configDao.getValue("vm.password.length"));
> >>>> >        return
> >>>>PasswordGenerator.generateRandomPassword(passwordLength);
> >>>> >    }
> >>>> >
> >>>> > Not a clue why but the generateRandomPassword method creates a
> >>>>random
> >>>> > 3-character string first then loops through to generate n random
> >>>> characters.
> >>>> >
> >>>> >    public static String generateRandomPassword(int num) {
> >>>> >        Random r = new SecureRandom();
> >>>> >        StringBuilder password = new StringBuilder();
> >>>> >
> >>>> >        // Generate random 3-character string with a lowercase
> >>>>character,
> >>>> >        // uppercase character, and a digit
> >>>> >
> >>>> >
> >>>>
> >>>>password.append(generateLowercaseChar(r)).append(generateUppercaseChar(
> >>>>r)
> >>>>).append(generateDigit(r));
> >>>> >
> >>>> >        // Generate a random n-character string with only lowercase
> >>>> >        // characters
> >>>> >        for (int i = 0; i < num; i++) {
> >>>> >            password.append(generateLowercaseChar(r));
> >>>> >        }
> >>>> >
> >>>> >        return password.toString();
> >>>> >    }
> >>>> >
> >>>> > The unit tests seem to accommodate for this aswell:
> >>>> >
> >>>> >        // actual length is requested length + 3
> >>>> >
> >>>> >
> >>>>Assert.assertTrue(PasswordGenerator.generateRandomPassword(0).length()
> >>>>==
> >>>> > 3);
> >>>> >
> >>>> >
> >>>>Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length()
> >>>>==
> >>>> > 4);
> >>>> >
> >>>> > I'm guessing there's some reasoning for this.... CCing Laszlo who
> >>>> according
> >>>> > to git log did some work on this class.
> >>>> >
> >>>> > Thanks,
> >>>> >
> >>>> > Ian
> >>>> >
> >>>> > On 13 October 2014 19:39, Nux! <nux@li.nux.ro> wrote:
> >>>> >
> >>>> >> Hello,
> >>>> >>
> >>>> >> First of all "THANKS!" to whoever made this feature happen
(Ian I
> >>>> guess).
> >>>> >> Now we can set more secure passwords generated for our instances.
> >>>> >>
> >>>> >> Second, the feature works, but with a small glitch, the number
> >>>>seems
> >>>>to
> >>>> be
> >>>> >> affected by some sort of offset. I.e. if I set the password
to be
> >>>>15
> >>>> chars
> >>>> >> in length then the generated password will actually be 18 chars.
> >>>> >> In order to get a 15 chars long passwd I had to set
> >>>>vm.password.length
> >>>> to
> >>>> >> 12. Bug or feature? :)
> >>>> >>
> >>>> >>
> >>>> >> Lucian
> >>>> >>
> >>>> >> --
> >>>> >> Sent from the Delta quadrant using Borg technology!
> >>>> >>
> >>>> >> Nux!
> >>>> >> www.nux.ro
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message