[Git-commits] [grml/grml-autoconfig] 56db87: rewrite password generation for more secure and co...

Chris Hofstaedtler noreply at github.com
Fri Dec 20 01:03:49 CET 2024 

  Branch: refs/heads/zeha/perf
  Home:   https://github.com/grml/grml-autoconfig
  Commit: 56db87928d56dd0b66bcaa9b39599d678697b8e3
      https://github.com/grml/grml-autoconfig/commit/56db87928d56dd0b66bcaa9b39599d678697b8e3
  Author: Antoine Beaupré <anarcat at debian.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M autoconfig.functions

  Log Message:
  -----------
  rewrite password generation for more secure and convivial options

When I boot a GRML system with `ssh` (without arguments) right now, it
generates a 8 character, hex password. Now, I'm not a cryptographer,
but I believe that gives about 32 bits of entropy (log2(16)*8),
roughly the equivalent of a 8 character, all lowercase, [a-z]
password, which is now widely recognized to be extremely poor.

That password is generated by dumping random bytes and piping them
into hexdump, taking the first four bytes (hey, look, 32 bits again).

There are other routines in there: if pwgen, gpw, or apg are
available, they are used. But pwgen was dropped from in
2009 (#511613), and gpw is not present at all.

apg *is* in GRML_FULL, but I would argue it fares as poorly as
hexdump: with the given configuration, it also generates a
8 to 12 character, lowercase and digits "pronouncable" password. It's
hard to estimate the damage the "pronouncable" algorithm does to the
entropy, but even just relying on the 36 character possibilities (26 +
10), we end up with a meager 41 bits of entropy on those passwords.

In comparison, the passwords generated by diceware and xkcdpass each
use 6 words from a ~8000 words dictionnary, which adds up to a
whopping 77 bits of entropy, while still generating a rememberable
password, much more than apg or pwgen.

If those are not available, we fall back to a much simpler routine:
extract alphanumeric characters from /dev/urandom (non-depleting), and
dump 28 characters, which gives us 167 bits of entropy.

I'm not directly proposing to install diceware or xkcdpass here yet,
but I believe that would also be a nice addition (and I would
deprecate apg).

That's a different discussion, however: let's get rid of 8-character
passwords for now, first.


  Commit: 460ca6e2a1a0e98b8bf33a189de0b4a8ef91c4b5
      https://github.com/grml/grml-autoconfig/commit/460ca6e2a1a0e98b8bf33a189de0b4a8ef91c4b5
  Author: Chris Hofstaedtler <ch at grml.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M debian/grml-autoconfig.install
    M debian/grml-autoconfig.lintian-overrides

  Log Message:
  -----------
  Install systemd unit into /usr (DEP17)

While at it, also update lintian-overrides for modern lintian.


  Commit: 6bddd0c6a4aedf1c06afeb0ed6e561ff588a87ae
      https://github.com/grml/grml-autoconfig/commit/6bddd0c6a4aedf1c06afeb0ed6e561ff588a87ae
  Author: Chris Hofstaedtler <ch at grml.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    A .github/workflows/test-build.yml
    A test/docker-build-deb.sh
    A test/gha-build-deb.sh

  Log Message:
  -----------
  GHA: add debian package build workflow


  Commit: 579c288dfd449625ab48011a5011c9a10973ed43
      https://github.com/grml/grml-autoconfig/commit/579c288dfd449625ab48011a5011c9a10973ed43
  Author: Chris Hofstaedtler <ch at grml.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M debian/changelog

  Log Message:
  -----------
  Update changelog for 0.23.2 release


  Commit: 83540525fbac44845df0e6803b550069cba020d1
      https://github.com/grml/grml-autoconfig/commit/83540525fbac44845df0e6803b550069cba020d1
  Author: Chris Hofstaedtler <ch at grml.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M grml-autoconfig

  Log Message:
  -----------
  init script: use zsh -f to skip more startup rc code

This seems to save about 50% runtime on some invocations.


  Commit: 6c631e66ab50dae8040b57e8da3806f6c8aaceea
      https://github.com/grml/grml-autoconfig/commit/6c631e66ab50dae8040b57e8da3806f6c8aaceea
  Author: Chris Hofstaedtler <ch at grml.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M autoconfig.functions

  Log Message:
  -----------
  performance: avoid uname call for ARCH

This is documented only for netconfig, most boots never use it.


  Commit: 6d908137a63777875955943c744385517c490dd6
      https://github.com/grml/grml-autoconfig/commit/6d908137a63777875955943c744385517c490dd6
  Author: Chris Hofstaedtler <ch at grml.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M grml-autoconfig

  Log Message:
  -----------
  grml-autoconfig: trim extra whitespace


  Commit: daf31e1bbaa8bd8fb5b8de1aa699d24776ce5f52
      https://github.com/grml/grml-autoconfig/commit/daf31e1bbaa8bd8fb5b8de1aa699d24776ce5f52
  Author: Chris Hofstaedtler <ch at grml.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M autoconfig.functions
    M bin/save-config

  Log Message:
  -----------
  performance: stop checking for pre-2018 live media paths


  Commit: 5eb2cc9dd721a3ce80a2595fdd9238c8acfaaf00
      https://github.com/grml/grml-autoconfig/commit/5eb2cc9dd721a3ce80a2595fdd9238c8acfaaf00
  Author: Chris Hofstaedtler <chris.hofstaedtler at deduktiva.com>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M grml-autoconfig

  Log Message:
  -----------
  performance: require /etc/mtab to be a symlink already

Always true since a few Debian releases.


  Commit: b8fe5953a18a615405d2e0c77e18d567e14e2b05
      https://github.com/grml/grml-autoconfig/commit/b8fe5953a18a615405d2e0c77e18d567e14e2b05
  Author: Chris Hofstaedtler <chris.hofstaedtler at deduktiva.com>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M autoconfig.functions
    M grml-autoconfig

  Log Message:
  -----------
  performance: require systemd to setup /{proc,sys,dev/pts}


  Commit: d56cfba3523bb9ba135b65980d7747b7495443bc
      https://github.com/grml/grml-autoconfig/commit/d56cfba3523bb9ba135b65980d7747b7495443bc
  Author: Chris Hofstaedtler <chris.hofstaedtler at deduktiva.com>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M autoconfig.functions

  Log Message:
  -----------
  performance: avoid using $(cat)


  Commit: cebdbe8fcecd578d6839f85545d6242c616c09c0
      https://github.com/grml/grml-autoconfig/commit/cebdbe8fcecd578d6839f85545d6242c616c09c0
  Author: Chris Hofstaedtler <ch at grml.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M autoconfig.functions
    M debian/grml-autoconfig.install
    A modules-load.d/grml-autoconfig.conf
    M systemd/grml-autoconfig.service

  Log Message:
  -----------
  performance: let systemd load 9pfs


  Commit: 807c4483b78ce32bbdc0409fe923bdf259df5181
      https://github.com/grml/grml-autoconfig/commit/807c4483b78ce32bbdc0409fe923bdf259df5181
  Author: Chris Hofstaedtler <ch at grml.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M autoconfig.functions
    M modules-load.d/grml-autoconfig.conf

  Log Message:
  -----------
  performance: let systemd load efivarfs


  Commit: eb53d918e30e582fc6ccaa3a850344f71879d7c4
      https://github.com/grml/grml-autoconfig/commit/eb53d918e30e582fc6ccaa3a850344f71879d7c4
  Author: Chris Hofstaedtler <ch at grml.org>
  Date:   2024-12-20 (Fri, 20 Dec 2024)

  Changed paths:
    M autoconfig.functions

  Log Message:
  -----------
  performance: avoid running virt-what, imvirt three times

Also avoid running imvirt at all, if virt-what succeeds.


Compare: https://github.com/grml/grml-autoconfig/compare/56db87928d56%5E...eb53d918e30e

To unsubscribe from these emails, change your notification settings at https://github.com/grml/grml-autoconfig/settings/notifications

More information about the Git-commits mailing list