pub-solar/matrix-docker-ansible-deploy
5
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Use password_hash salts that obey passlib requirements

Browse source 
According to
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha512_crypt.html:

> salt (str) – Optional salt string. If not specified, one will be autogenerated (this is recommended).
> If specified, it must be 0-16 characters, drawn from the regexp range [./0-9A-Za-z].

Until now, we were using invalid characters (like `-`). We were also
going over the requested length limit of 16 characters.

This is most likely what was causing `ValueError` exceptions for some people,
as reported in #209 (Github Issue).
Ansible's source code (`lib/ansible/utils/encrypt.py`) shows that Ansible tries
to use passlib if available and falls back to Python's `crypt` module if not.
For Mac, `crypt.crypt` doesn't seem to work, so Ansible always requires passlib.

Looks like crypt is forgiving when length or character requirements are
not obeyed. It would auto-trim a salt string to make it work, which means
that we could end up with the same hash if we call it with salts which aer only
different after their 16th character.

For these reasons (crypt autotriming and passlib downright complaining),
we're now using shorter and more diverse salts.
This commit is contained in:
Slavi Pantaleev 2019-06-26 09:19:36 +03:00
parent 59b56fa504
commit 782356d421
1 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
group_vars/matrix_servers
View file

@ -78,9 +78,9 @@ matrix_appservice_irc_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
}}
matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'appservice-irc-appservice-token') | to_uuid }}"
matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.as.token') | to_uuid }}"
matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'appservice-irc-homeserver-token') | to_uuid }}"
matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}"
######################################################################
#
@ -105,9 +105,9 @@ matrix_mautrix_facebook_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
}}
matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'facebook-appservice-token') | to_uuid }}"
matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}"
matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'facebook-homeserver-token') | to_uuid }}"
matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.hs.token') | to_uuid }}"
######################################################################
#
@ -133,9 +133,9 @@ matrix_mautrix_telegram_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
}}
matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram-appservice-token') | to_uuid }}"
matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}"
matrix_mautrix_telegram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram-homeserver-token') | to_uuid }}"
matrix_mautrix_telegram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.hs.token') | to_uuid }}"
matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"
@ -164,9 +164,9 @@ matrix_mautrix_whatsapp_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
}}
matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whatsapp-appservice-token') | to_uuid }}"
matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}"
matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whatsapp-homeserver-token') | to_uuid }}"
matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}"
######################################################################
#