Fix ASCII password lookup character sets

Multiple invocations of the password lookup used the term `ascii` instead of `ascii_letters` in the `chars` parameter. Because of this only the letters a,c,i,s were added to the character set instead of all lowercase and uppercase ASCII letters. As all password lookups did at least also include all digits and the minimum password length used is 20 characters, this did not result in weak passwords. (cherry picked from commit 6f2deb1)
debops · Dec 29, 2022 · 13e5f0d · 13e5f0d
1 parent 0056bdf
commit 13e5f0d
Show file tree

Hide file tree

Showing 9 changed files with 17 additions and 10 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -110,6 +110,13 @@ General
   been removed in Ansible 2.14. It has been removed in various DebOps roles to
   allow playbook execution to work correctly.
 
+- Fixed all password lookups which used ``chars=ascii`` instead of
+  ``chars=ascii_letters``. This resulted in passwords which only contained the
+  letters a,c,i,s instead of all lowercase and uppercase ASCII letters. Because
+  all occurences of this bug at least also included all digits in the character
+  set and the password length was at least 20 characters, this did not result
+  in weak passwords.
+
 :ref:`debops.ferm` role
 '''''''''''''''''''''''
 

diff --git a/ansible/roles/etherpad/tasks/main.yml b/ansible/roles/etherpad/tasks/main.yml
@@ -114,7 +114,7 @@
 - name: Generate Etherpad session key
   set_fact:
     etherpad_session_key: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn
-                              + "/etherpad/session_key chars=ascii,numbers,digits,hexdigits length=30") }}'
+                              + "/etherpad/session_key chars=ascii_letters,numbers,digits,hexdigits length=30") }}'
   when: secret is defined and secret
 
 - name: Generate Etherpad configuration

diff --git a/ansible/roles/minio/templates/etc/minio/instance.j2 b/ansible/roles/minio/templates/etc/minio/instance.j2
@@ -16,10 +16,10 @@ MINIO_VOLUMES="{{ (( [ item.volumes ] if (item.volumes is string) else item.volu
 MINIO_SERVER_URL="{{ item.server_url | d('https://' + minio__fqdn + '/') }}"
 MINIO_OPTS="{{ '--address ' + (item.bind | d('')) + ':' + item.port|string + ' --console-address ' + (item.console_bind | d('')) + ':' + item.console_port | string + ((' ' + item.minio_options) if item.minio_options|d() else '') }}"
 {% if not (item.standalone|d(False))|bool %}
-MINIO_ROOT_USER="{{ item.root_user         | d(lookup('password', secret + '/minio/distributed/' + item.name + '/root_user length=20 chars=ascii,digits')) }}"
+MINIO_ROOT_USER="{{ item.root_user         | d(lookup('password', secret + '/minio/distributed/' + item.name + '/root_user length=20 chars=ascii_letters,digits')) }}"
 MINIO_ROOT_PASSWORD="{{ item.root_password | d(lookup('password', secret + '/minio/distributed/' + item.name + '/root_password length=32')) }}"
 {% else %}
-MINIO_ROOT_USER="{{ item.root_user         | d(lookup('password', secret + '/minio/standalone/' + inventory_hostname + '/' + item.name + '/root_user length=20 chars=ascii,digits')) }}"
+MINIO_ROOT_USER="{{ item.root_user         | d(lookup('password', secret + '/minio/standalone/' + inventory_hostname + '/' + item.name + '/root_user length=20 chars=ascii_letters,digits')) }}"
 MINIO_ROOT_PASSWORD="{{ item.root_password | d(lookup('password', secret + '/minio/standalone/' + inventory_hostname + '/' + item.name + '/root_password length=32')) }}"
 {% endif %}
 {% if item.browser is defined %}

diff --git a/ansible/roles/monit/defaults/main.yml b/ansible/roles/monit/defaults/main.yml
@@ -83,7 +83,7 @@ monit__httpd_username: 'monit'
 # The password used by the Monit CLI to access the HTTP server.
 monit__httpd_password: '{{ lookup("password", secret + "/credentials/"
                            + inventory_hostname + "/monit/httpd/password "
-                           + "chars=ascii,digits length=32") }}'
+                           + "chars=ascii_letters,digits length=32") }}'
                                                                    # ]]]
                                                                    # ]]]
 # Monit configuration [[[

diff --git a/ansible/roles/nginx/defaults/main.yml b/ansible/roles/nginx/defaults/main.yml
@@ -802,7 +802,7 @@ nginx__htpasswd_password_length: 32
 # .. envvar:: nginx__htpasswd_password_characters [[[
 #
 # Set of characters allowed in passwords autogenerated by the role.
-nginx__htpasswd_password_characters: 'ascii,digits,.-_~&()*='
+nginx__htpasswd_password_characters: 'ascii_letters,digits,.-_~&()*='
 
                                                                    # ]]]
 # .. envvar:: nginx__htpasswd [[[

diff --git a/ansible/roles/postgresql/defaults/main.yml b/ansible/roles/postgresql/defaults/main.yml
@@ -120,7 +120,7 @@ postgresql__password_length: '64'
 # .. envvar:: postgresql__password_characters [[[
 #
 # Characters allowed in the randomly generated passwords in PostgreSQL database.
-postgresql__password_characters: 'ascii,digits,.-_~&()*='
+postgresql__password_characters: 'ascii_letters,digits,.-_~&()*='
                                                                    # ]]]
                                                                    # ]]]
 # pg_wrapper integration [[[

diff --git a/ansible/roles/postgresql_server/defaults/main.yml b/ansible/roles/postgresql_server/defaults/main.yml
@@ -142,7 +142,7 @@ postgresql_server__password_length: '64'
 # .. envvar:: postgresql_server__password_characters [[[
 #
 # Characters allowed in the autogenerated ``postgres`` password.
-postgresql_server__password_characters: 'ascii,digits,.-_~&()*='
+postgresql_server__password_characters: 'ascii_letters,digits,.-_~&()*='
 
                                                                    # ]]]
 # .. envvar:: postgresql_server__trusted [[[

diff --git a/ansible/roles/snmpd/defaults/main.yml b/ansible/roles/snmpd/defaults/main.yml
@@ -329,7 +329,7 @@ snmpd_account_password_length: '48'
 # Randomly generated, global SNMPv3 username of administrator account,
 # read-write, deactivated after ``snmpd`` is configured.
 snmpd_account_admin_username: '{{ lookup("password", secret +
-                                  "/snmp/credentials/admin/username chars=ascii,digits length=" +
+                                  "/snmp/credentials/admin/username chars=ascii_letters,digits length=" +
                                   snmpd_account_username_length) }}'
 
                                                                    # ]]]
@@ -346,7 +346,7 @@ snmpd_account_admin_password: '{{ lookup("password", secret +
 #
 # Randomly generated, global SNMPv3 username of agent account, read-only.
 snmpd_account_agent_username: '{{ lookup("password", secret +
-                                  "/snmp/credentials/agent/username chars=ascii,digits length=" +
+                                  "/snmp/credentials/agent/username chars=ascii_letters,digits length=" +
                                   snmpd_account_username_length) }}'
 
                                                                    # ]]]

diff --git a/docs/ansible/roles/gitlab_runner/getting-started.rst b/docs/ansible/roles/gitlab_runner/getting-started.rst
@@ -61,7 +61,7 @@ the :envvar:`gitlab_runner__token` variable to your inventory.
 
    gitlab_runner__token: '{{ lookup("password", secret
                            + "/credentials/" + gitlab_runner__api_fqdn
-                           + "/gitlab/runner/token chars=ascii,numbers") }}'
+                           + "/gitlab/runner/token chars=ascii_letters,numbers") }}'
 
 This allows the token to be safely stored outside of the inventory but
 accessible at runtime.