wbrawner/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Include '/' & '.' when password_hash generates a new salt

Browse source 
The password_hash filter will generate a salt value if none is supplied.
The character set used by Ansible

(upper & lowercase letters, digits)

did not match that used by libc crypt

(upper & lowercase letters, digits, full stop, forward slash).

This resulted in a slightly smaller key space, and hence hashes would be
slightly easier to attack (e.g. by dictionary, brute force).

(cherry picked from commit f5aa9df1fd)
This commit is contained in:
Alex Willmer 2017-03-30 16:37:50 +01:00 committed by Toshio Kuratomi
parent 1ba7e6b6f6
commit 07ea6a6adf
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
lib/ansible/plugins/filter/core.py
View file

@ -256,7 +256,8 @@ def get_encrypted_password(password, hashtype='sha512', salt=None):
saltsize = 8
else:
saltsize = 16
salt = ''.join([r.choice(string.ascii_letters + string.digits) for _ in range(saltsize)])
saltcharset = string.ascii_letters + string.digits + '/.'
salt = ''.join([r.choice(saltcharset) for _ in range(saltsize)])
if not HAS_PASSLIB:
if sys.platform.startswith('darwin'):