From f5aa9df1fddb4448d5d81fbb9d03bb82a16eda52 Mon Sep 17 00:00:00 2001 From: Alex Willmer Date: Thu, 30 Mar 2017 16:37:50 +0100 Subject: [PATCH] Include '/' & '.' when password_hash generates a new salt The password_hash filter will generate a salt value if none is supplied. The character set used by Ansible (upper & lowercase letters, digits) did not match that used by libc crypt (upper & lowercase letters, digits, full stop, forward slash). This resulted in a slightly smaller key space, and hence hashes would be slightly easier to attack (e.g. by dictionary, brute force). --- lib/ansible/plugins/filter/core.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/ansible/plugins/filter/core.py b/lib/ansible/plugins/filter/core.py index afc7efcfd36..77e961db8bf 100644 --- a/lib/ansible/plugins/filter/core.py +++ b/lib/ansible/plugins/filter/core.py @@ -256,7 +256,8 @@ def get_encrypted_password(password, hashtype='sha512', salt=None): saltsize = 8 else: saltsize = 16 - salt = ''.join([r.choice(string.ascii_letters + string.digits) for _ in range(saltsize)]) + saltcharset = string.ascii_letters + string.digits + '/.' + salt = ''.join([r.choice(saltcharset) for _ in range(saltsize)]) if not HAS_PASSLIB: if sys.platform.startswith('darwin'):