[Pkg-openldap-devel] Bug#932270: openldap: Weak default password generation

Judicael Courant judicael at jcourant.fr
Wed Jul 17 09:33:07 BST 2019 

Source: openldap
Severity: normal

Dear Maintainer,

When package slapd is installed in non-interactive mode, a default
password is generated using at most 32 random bits, which seems quite
low. This issue can be fixed quite easily (patch below).

In source package slapd, the file debian/slapd.scripts-common
contains the following code:

----------------------------------------------------------------------
generate_admin_pass() {
# Generate a password, if no password given then generate one.
# Usage: generate_admin_pass

        perl << 'EOF'
# --------
sub generatePassword {
        $length = shift;
        $possible = 'abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ';
        $password = '';
        while(length($password) < $length) {
                $password.= substr($possible, (int(rand(length($possible)))), 1);
        }
        return $password;
}
print generatePassword(15);
EOF
# --------
}
----------------------------------------------------------------------

The perl code relies on the `rand' function, which is a deterministic
pseudo-random generator initialized with at most 32 random bits.

Please consider replacing this function with the following:

----------------------------------------------------------------------
generate_admin_pass() {
# Generate a password, if no password given then generate one.
# Usage: generate_admin_pass

# 15 bytes of /dev/urandom provide 120 random bits, assuming
# the entropy pool is full enough.
# Coding these 15 bytes in base64 returns a 20 characters long password.

        head -c 15 /dev/urandom | base64 | tr -d '[:space:]'
}
----------------------------------------------------------------------

Yours,

J. Courant.

-- System Information:
Debian Release: 9.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

More information about the Pkg-openldap-devel mailing list