diff options
| -rw-r--r-- | NEWS | 7 | ||||
| -rw-r--r-- | perl/Wallet/Kadmin/Heimdal.pm | 41 |
2 files changed, 41 insertions, 7 deletions
@@ -17,6 +17,13 @@ wallet 1.1 (unreleased) reference an ldap_map_principal hook, not ldap_map_attribute, matching the implementation. + When creating new principals in a Heimdal KDC, generate a long, random + password as the temporary password of the disabled principal before + randomizing keys. This is necessary if password quality is being + enforced on create calls. Since the principal is always inactive + until the keys have been randomized, the password should not need to + be secure (and indeed is not cryptographically random). + wallet 1.0 (2013-03-27) Owners of wallet objects are now allowed to destroy them. In previous diff --git a/perl/Wallet/Kadmin/Heimdal.pm b/perl/Wallet/Kadmin/Heimdal.pm index bb07b93..a1d63ae 100644 --- a/perl/Wallet/Kadmin/Heimdal.pm +++ b/perl/Wallet/Kadmin/Heimdal.pm @@ -1,7 +1,7 @@ # Wallet::Kadmin::Heimdal -- Wallet Kerberos administration API for Heimdal. # # Written by Jon Robertson <jonrober@stanford.edu> -# Copyright 2009, 2010 +# Copyright 2009, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -40,6 +40,34 @@ sub canonicalize_principal { return $principal; } +# Generate a long random password. +# +# Please note: This is not a cryptographically secure password! It's used +# only because the Heimdal kadmin interface requires a password on create. +# The keys will be set before the principal is ever set active, so it will +# never be possible to use the password. It just needs to be random in case +# password quality checks are applied to it. +# +# Make the password reasonably long and include a variety of character classes +# so that it should pass any password strength checking. +sub insecure_random_password { + my ($self) = @_; + my @classes = ( + 'abcdefghijklmnopqrstuvwxyz', + 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', + '0123456789', + '~`!@#$%^&*()-_+={[}]|:;<,>.?/' + ); + my $password = q{}; + for my $i (1..20) { + my $class = $i % scalar (@classes); + my $alphabet = $classes[$class]; + my $letter = substr ($alphabet, int (rand (length $alphabet)), 1); + $password .= $letter; + } + return $password; +} + ############################################################################## # Public interfaces ############################################################################## @@ -71,18 +99,17 @@ sub create { return 1 if $exists; # The way Heimdal::Kadm5 works, we create a principal object, create the - # actual principal set inactive, then randomize it and activate it. - # - # TODO - Paranoia makes me want to set the password to something random - # on creation even if it is inactive until after randomized by - # module. + # actual principal set inactive, then randomize it and activate it. We + # have to set a password, even though we're about to replace it with + # random keys, but since the principal is created inactive, it doesn't + # have to be a very good one. my $kadmin = $self->{client}; eval { my $princdata = $kadmin->makePrincipal ($principal); my $attrs = $princdata->getAttributes; $attrs |= KRB5_KDB_DISALLOW_ALL_TIX; $princdata->setAttributes ($attrs); - my $password = 'inactive'; + my $password = $self->insecure_random_password; $kadmin->createPrincipal ($princdata, $password, 0); $kadmin->randKeyPrincipal ($principal); $kadmin->enablePrincipal ($principal); |