Possible value for secrets.peertube in production.yaml

fflorent · Janvier 6, 2023, 9:46

Hello,

In the production.yaml file, I see that we can generate the value for secrets.peertube using this command:

openssl rand -hex 32

I just wanted to know if there are some kind of constraints regarding the content of the string. For the Yunohost package, we’d like to ensure whether a string of 24 alphanum characters (mixing upper and lower case) randomly generated can be accepted by the system. Or has it to be an hexadecimal string only?

FWIW, here is the algorithm used to generate the random string for Yunohost:

github.com

YunoHost/yunohost/blob/cddfafaa553f6671f70ac440eca691ddbec67dc8/helpers/string#L13-L27

      
        
            ynh_string_random() {
                # Declare an array to define the options of this helper.
                local legacy_args=lf
                local -A args_array=([l]=length= [f]=filter=)
                local length
                local filter
                # Manage arguments with getopts
                ynh_handle_getopts_args "$@"
                length=${length:-24}
                filter=${filter:-'A-Za-z0-9'}
            
            
    dd if=/dev/urandom bs=1 count=1000 2>/dev/null \
                    | tr --complement --delete "$filter" \
                    | sed --quiet 's/\(.\{'"$length"'\}\).*/\1/p'
            }

Chocobozzz · Janvier 6, 2023, 10:08

Hi,

I don’t think we have constraints on secrets. We use scrypt on the secret to generate an encrypted secret to the appropriate byte size. This encrypted secret will be used as a key for a symmetric encryption (OTP secret in database).

JohnLivingston · Janvier 6, 2023, 11:37

For the record, in an Ansible playbook I used this value:
{{ lookup('password', peertube__config_secrets_peertube_path + ' length=64 chars=digits,a,b,c,d,e,f') }}

I used this because i didn’t know if I could have used other characters. And I didn’t find an obvious response looking at the Peertube code.