yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1860795] Re: cc_set_passwords is too short for RANDOM

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dan Watkins <daniel.watkins@xxxxxxxxxxxxx>
Date: Thu, 20 Feb 2020 21:29:33 -0000
Reply-to: Bug 1860795 <1860795@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug is believed to be fixed in cloud-init in version 20.1. If this
is still a problem for you, please make a comment and set the state back
to New

Thank you.

** Also affects: cloud-init
   Importance: Undecided
       Status: New

** Changed in: cloud-init
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1860795

Title:
  cc_set_passwords is too short for RANDOM

Status in cloud-init:
  Fix Released
Status in cloud-init package in Ubuntu:
  Fix Released

Bug description:
  PW_SET = (''.join([x for x in ascii_letters + digits
                     if x not in 'loLOI01']))

  def rand_user_password(pwlen=9):
      return util.rand_str(pwlen, select_from=PW_SET)

  len(PW_SET) is 55

  
  log_2(55^20) is 115 bits, which is above 112, which matches the default OpenSSL SECLEVEL=2 setting in focal fossa.

  Please bump PW_SET to 20, as 9 is crackable (provides 52 bits of
  security which is less than SECLEVEL 0).

  As I'm about to use this on a mainframe, which by definition can crack
  that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1860795/+subscriptions