diff options
| author | Alex Willmer <alex.willmer@cgi.com> | 2017-03-30 16:37:50 +0100 |
|---|---|---|
| committer | Toshio Kuratomi <a.badger@gmail.com> | 2017-03-30 12:47:34 -0700 |
| commit | 07ea6a6adf42e065c175d7f8c5a3bc75723792ff (patch) | |
| tree | fe3adcc2a11b7691da44e31aa3c2abf6811a08ae | |
| parent | 1ba7e6b6f6f3a7da8e44bffda381b130e3b9cf5e (diff) | |
| download | ansible-07ea6a6adf42e065c175d7f8c5a3bc75723792ff.tar.gz | |
Include '/' & '.' when password_hash generates a new salt
The password_hash filter will generate a salt value if none is supplied.
The character set used by Ansible
(upper & lowercase letters, digits)
did not match that used by libc crypt
(upper & lowercase letters, digits, full stop, forward slash).
This resulted in a slightly smaller key space, and hence hashes would be
slightly easier to attack (e.g. by dictionary, brute force).
(cherry picked from commit f5aa9df1fddb4448d5d81fbb9d03bb82a16eda52)
| -rw-r--r-- | lib/ansible/plugins/filter/core.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/ansible/plugins/filter/core.py b/lib/ansible/plugins/filter/core.py index 6c8eb2c509..69230b0ba8 100644 --- a/lib/ansible/plugins/filter/core.py +++ b/lib/ansible/plugins/filter/core.py @@ -256,7 +256,8 @@ def get_encrypted_password(password, hashtype='sha512', salt=None): saltsize = 8 else: saltsize = 16 - salt = ''.join([r.choice(string.ascii_letters + string.digits) for _ in range(saltsize)]) + saltcharset = string.ascii_letters + string.digits + '/.' + salt = ''.join([r.choice(saltcharset) for _ in range(saltsize)]) if not HAS_PASSLIB: if sys.platform.startswith('darwin'): |