Re: [libvirt] [PATCH 14/14] virsh-completer: introduce virshPasswordCompleter

Monday, 1 April 2019

On Mon, Apr 01, 2019 at 09:33:31AM +0200, Ján Tomko wrote:
...
 Suggest some passwords to the user.

 Signed-off-by: Ján Tomko <jtomko(a)redhat.com&gt;
 ---
  tools/virsh-completer.c | 58 +++++++++++++++++++++++++++++++++++++++++
  tools/virsh-completer.h |  4 +++
  tools/virsh-domain.c    |  1 +
  3 files changed, 63 insertions(+)

 diff --git a/tools/virsh-completer.c b/tools/virsh-completer.c
 index 5985f09272..0687670d37 100644
 --- a/tools/virsh-completer.c
 +++ b/tools/virsh-completer.c
 @@ -32,6 +32,7 @@
  #include "virutil.h"
  #include "viralloc.h"
  #include "virmacaddr.h"
 +#include "virrandom.h"
  #include "virstring.h"
  #include "virxml.h"

 @@ -936,3 +937,60 @@ virshDomainDeviceAliasCompleter(vshControl *ctl,
      VIR_STEAL_PTR(ret, tmp);
      return ret;
  }
 +
 +
 +const char *builtin_passwords[] = {
 +    "hunter2", /* ******* */
 +    "nbusr123", /* Keď nevieš, tak nefušuj */
 +    "4ezgi4",
 +}; 
This is quite a limited list of paswords. I think it would be useful to
expand it with the password dump from haveibeenpwned.com  The main
problem is that the overhead of a static array with 500,000,000 passwords
might make libvirt packages too large. RPM used to have problems with
packages larger than 2 GB, so not sure how well it will handle 11 GB
RPMs. There could be a negative impact on memory usage when running libvirt,
though virt hosts usually have lots of RAM, so reserving 11 GB for virsh
shouldn't be too big a problem.

...
 +
 +
 +char **
 +virshPasswordCompleter(vshControl *ctl ATTRIBUTE_UNUSED,
 +                       const vshCmd *cmd ATTRIBUTE_UNUSED,
 +                       unsigned int flags)
 +{
 +    VIR_AUTOFREE(char *) base64 = NULL;
 +    VIR_AUTOFREE(unsigned char *) rand = NULL;
 +    VIR_AUTOSTRINGLIST tmp = NULL;
 +    const size_t optimal_passlen = 8; /* ought to be enough */
 +    const char *prefix = NULL;
 +    const size_t num = 1;
 +    char **ret = NULL;
 +    size_t missing;
 +    size_t i;
 +
 +    virCheckFlags(0, NULL);
 +
 +    if (VIR_ALLOC_N(tmp, num + ARRAY_CARDINALITY(builtin_passwords) + 1) < 0)
 +        return NULL;
 +
 +    ignore_value(vshCommandOptStringQuiet(ctl, cmd, "password",
&prefix));
 +    if (STREQ_NULLABLE(prefix, " "))
 +        prefix = NULL;
 +
 +    missing = optimal_passlen - MIN(strlen(NULLSTR_EMPTY(prefix)), optimal_passlen);
 +
 +    if (VIR_ALLOC_N(rand, 7) < 0)
 +        return NULL;
 +
 +    if (virRandomBytes(rand, 6) < 0)
 +        return NULL;
 +
 +    if (!(base64 = virStringEncodeBase64(rand, 6)))
 +        return NULL;
 +
 +    base64[missing] = '\0';
 +
 +    if (virAsprintf(&tmp[0], "%s%s", NULLSTR_EMPTY(prefix), base64) <
0)
 +        return NULL;
 +
 +    for (i = 0; i < ARRAY_CARDINALITY(builtin_passwords); i++) {
 +        if (VIR_STRDUP(tmp[i + 1], builtin_passwords[i]) < 0)
 +            return NULL; 
Hmm, so an 11 GB static password list will need another 11GB of heap
allocation. This is getting quite inefficient at scale.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCH 14/14] virsh-completer: introduce virshPasswordCompleter