Include '/' & '.' when password_hash generates a new salt

The password_hash filter will generate a salt value if none is supplied. The character set used by Ansible (upper & lowercase letters, digits) did not match that used by libc crypt (upper & lowercase letters, digits, full stop, forward slash). This resulted in a slightly smaller key space, and hence hashes would be slightly easier to attack (e.g. by dictionary, brute force). (cherry picked from commit f5aa9df1fd)
8 years ago · 07ea6a6adf
parent 1ba7e6b6f6
commit 07ea6a6adf
1 changed files with 2 additions and 1 deletions
--- a/lib/ansible/plugins/filter/core.py
+++ b/lib/ansible/plugins/filter/core.py
@ -256,7 +256,8 @@ def get_encrypted_password(password, hashtype='sha512', salt=None):
                saltsize = 8
            else:
                saltsize = 16
-            salt = ''.join([r.choice(string.ascii_letters + string.digits) for _ in range(saltsize)])
+            saltcharset = string.ascii_letters + string.digits + '/.'
+            salt = ''.join([r.choice(saltcharset) for _ in range(saltsize)])

        if not HAS_PASSLIB:
            if sys.platform.startswith('darwin'):