From de3844cba9b801c99119c525e1dc6881be3b5ca3 Mon Sep 17 00:00:00 2001 From: Brian Coca Date: Tue, 5 Jan 2021 15:03:27 -0500 Subject: [PATCH] discourage hexdigits in password lookup (#73106) * actually add new docs * Update lib/ansible/plugins/lookup/password.py Co-authored-by: Sandra McCann --- changelogs/fragments/passwd_lookup_hexdigits.yml | 2 ++ lib/ansible/plugins/lookup/password.py | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/passwd_lookup_hexdigits.yml diff --git a/changelogs/fragments/passwd_lookup_hexdigits.yml b/changelogs/fragments/passwd_lookup_hexdigits.yml new file mode 100644 index 00000000000..e2326525ca2 --- /dev/null +++ b/changelogs/fragments/passwd_lookup_hexdigits.yml @@ -0,0 +1,2 @@ +minor_changes: + - Discourage the use of 'hexdigits' in password lookup, as it distorts expected entropy. diff --git a/lib/ansible/plugins/lookup/password.py b/lib/ansible/plugins/lookup/password.py index f9ed15ec917..cfb996e2406 100644 --- a/lib/ansible/plugins/lookup/password.py +++ b/lib/ansible/plugins/lookup/password.py @@ -40,6 +40,8 @@ DOCUMENTATION = """ - 'By default generated passwords contain a random mix of upper and lowercase ASCII letters, the numbers 0-9 and punctuation (". , : - _").' - "They can be either parts of Python's string module attributes (ascii_letters,digits, etc) or are used literally ( :, -)." - "Other valid values include 'ascii_lowercase', 'ascii_uppercase', 'digits', 'hexdigits', 'octdigits', 'printable', 'punctuation' and 'whitespace'." + - Be aware that Python's 'hexdigits' includes lower and upper case version of a-f, so it is not a good choice as it doubles + the chances of those values for systems that won't distinguish case, distorting the expected entropy. - "To enter comma use two commas ',,' somewhere - preferably at the end. Quotes and double quotes are not supported." type: string length: @@ -83,7 +85,7 @@ EXAMPLES = """ - name: create a mysql user with a random password using many different char sets mysql_user: name: "{{ client }}" - password: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits,hexdigits,punctuation') }}" + password: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits,punctuation') }}" priv: "{{ client }}_{{ tier }}_{{ role }}.*:ALL" - name: create lowercase 8 character name for Kubernetes pod name