Bug 1254304
| Summary: | Changing vault encryption attributes | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | ksiddiqu, rcritten, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-6.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 12:05:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Petr Vobornik
2015-08-17 16:32:05 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e46d9236d19f714b67fdf2865f19146c3016f46d ipa-4-2: https://fedorahosted.org/freeipa/changeset/d4969ede51e6098e962ff660daf13e8c61d4ac28 Verified. Ran against assortment of vault-mod commands. Version :: ipa-server-4.2.0-9.el7.x86_64 Results :: [root@master test]# ##################################################################### [root@master test]# # setup [root@master test]# ##################################################################### [root@master test]# ipa vault-add vchange --type standard --------------------- Added vault "vchange" --------------------- Vault name: vchange Type: standard Owner users: admin Vault user: admin [root@master test]# ipa vault-archive vchange --data=$(echo 123456|base64) ---------------------------------- Archived data into vault "vchange" ---------------------------------- [root@master test]# openssl genrsa -out private.pem 2048 Generating RSA private key, 2048 bit long modulus ....................................................................+++ ......+++ e is 65537 (0x10001) [root@master test]# openssl rsa -in private.pem -out public.pem -pubout writing RSA key [root@master test]# openssl genrsa -out new-private.pem 2048 Generating RSA private key, 2048 bit long modulus .................................+++ .............................+++ e is 65537 (0x10001) [root@master test]# openssl rsa -in new-private.pem -out new-public.pem -pubout writing RSA key [root@master test]# PUBKEYBLOB=$(cat public.pem |base64|grep -v '^-----'|tr -d '\n\r') [root@master test]# PRVKEYBLOB=$(cat private.pem |base64|grep -v '^-----'|tr -d '\n\r') [root@master test]# NEWPUBKEYBLOB=$(cat new-public.pem |base64|grep -v '^-----'|tr -d '\n\r') [root@master test]# NEWPRVKEYBLOB=$(cat new-private.pem |base64|grep -v '^-----'|tr -d '\n\r') [root@master test]# [root@master test]# ##################################################################### [root@master test]# # change type from standard to symmetric [root@master test]# ##################################################################### [root@master test]# ipa vault-mod vchange --type symmetric --new-password 123 ------------------------ Modified vault "vchange" ------------------------ Vault name: vchange Type: symmetric Salt: oEOVkIftGESkvZ8Epdqd+Q== Owner users: admin Vault user: admin [root@master test]# ipa vault-retrieve vchange --password 123 --out=/tmp/vchange.out ----------------------------------- Retrieved data from vault "vchange" ----------------------------------- [root@master test]# grep 123456 /tmp/vchange.out 123456 [root@master test]# [root@master test]# ##################################################################### [root@master test]# # change symmetric password interactively [root@master test]# ##################################################################### [root@master test]# expect -f - <<EOF > set timeout 30 > spawn ipa vault-mod vchange --change-password > expect "ssword:*" > send -- "123\r" > expect "ssword:*" > send -- "1234\r" > expect "ssword:*" > send -- "1234\r" > expect eof > EOF spawn ipa vault-mod vchange --change-password Password: New password: Verify password: ------------------------ Modified vault "vchange" ------------------------ Vault name: vchange Type: symmetric Salt: UxcKZE3G0wQdsWR2v1SX3w== Owner users: admin Vault user: admin [root@master test]# ipa vault-retrieve vchange --password=1234 --out=/tmp/vchange.out ----------------------------------- Retrieved data from vault "vchange" ----------------------------------- [root@master test]# grep 123456 /tmp/vchange.out 123456 [root@master test]# [root@master test]# ##################################################################### [root@master test]# # change symmetric password [root@master test]# ##################################################################### [root@master test]# ipa vault-mod vchange --old-password=1234 --new-password=abcde ------------------------ Modified vault "vchange" ------------------------ Vault name: vchange Type: symmetric Salt: NnhtSAHcQrpLjvn3IGIyIg== Owner users: admin Vault user: admin [root@master test]# ipa vault-retrieve vchange --password=abcde --out=/tmp/vchange.out ----------------------------------- Retrieved data from vault "vchange" ----------------------------------- [root@master test]# grep 123456 /tmp/vchange.out 123456 [root@master test]# [root@master test]# ##################################################################### [root@master test]# # fail to retrieve vault after password change [root@master test]# ##################################################################### [root@master test]# ipa vault-retrieve vchange --password=12345 --out=/tmp/vchange.out ipa: ERROR: Invalid credentials [root@master test]# [root@master test]# ##################################################################### [root@master test]# # change type from symmetric to asymmetric [root@master test]# ##################################################################### [root@master test]# ipa vault-mod vchange --type=asymmetric --old-password=abcde --public-key-file=public.pem ------------------------ Modified vault "vchange" ------------------------ Vault name: vchange Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEwMjE2Z3Y1UEhLSGRjWTB1MWZPRwowU3Y0aHhJODFxbXQxU2w4WjZpM3F1K0IvaFUyVFhoN0RtcjlmUTRMSjBNNzlaZmk3UGdVM3FDTFdwVExuUnlkCitzaW96S2UzNzgxR0FCdVBpRVVqdW9KUnBNaUYxNGZZcXVSSmMwbUZ2NVcxTUoxUkxVcFM4OGEydTNqYnhLdDkKV29kM01qcTh0cWErSnpmTmhjWDVYNDFza3N6QjE3NnlUUHJ3V1JEZE1GZ0l5UFNVcE5HQWFCU3BaZDBPOHVpaQpweCt0UzdQSEhQZlg0Z1pwVzNOSy9RT0p2MmdiaUs5L1BtZGdDamg2eE5qaW13SW1NTnRPWXc5YjVNKzBMVlpvCm1NRy9Mb012VVluVUowcGE3MEZHdjlkQzdyV2FvVjFiWDRmVC85WVQ3RmJCS0FRT2RnbEJBQ3dWdkdQU1lOaXcKRlFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner users: admin Vault user: admin [root@master test]# ipa vault-retrieve vchange --private-key-file=private.pem --out=/tmp/vchange.out ----------------------------------- Retrieved data from vault "vchange" ----------------------------------- [root@master test]# grep 123456 /tmp/vchange.out 123456 [root@master test]# [root@master test]# ##################################################################### [root@master test]# # fail to retrieve asymmetric vault with previous symmetric password [root@master test]# ##################################################################### [root@master test]# ipa vault-retrieve vchange --password=abcde --out=/tmp/vchange.out ipa: ERROR: invalid 'private_key': Missing vault private key [root@master test]# [root@master test]# ##################################################################### [root@master test]# # change asymmetric keys with files [root@master test]# ##################################################################### [root@master test]# ipa vault-mod vchange --private-key-file=private.pem --public-key-file=new-public.pem ------------------------ Modified vault "vchange" ------------------------ Vault name: vchange Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4WmREMWNnRmpxaG02MDV4eU8xWApSUkE0NlpDZE1NYTdIWGg4UDVzT29vRldWaW03dXBwejZpbGR1ek93M3kyZlRBbWcxdWhtL0lZL05RY21Ta3NzCnM3Y1ZFVmZkWlZOcThZSUJkSUMxWVRleHo3RjNBOGU3aGNtZUhLMnUwOGVld0YvaTRHVytZU2Y1bjk4R2dQd3AKdmg3UnVEVzlOWHhQa1FnZmc3TGQ0YzNaRWZBaURsS3NxVmRZbXczVnJ3YjMvU0x6UUZUb21vY2d6c0JEM3BkegpmMjJiU0o2Mk1NZFZGbjkreWM3YkN2dWY4MzNmcDRlMWhndVJlTFpOZ3NTRTgxaUNRQ3c5dXNjRTVJbnpsUHlTCmsyS2lrWHRMOHplb04zYzMxazVsRGppaU14V25EMGN1SnVxRG92TlhsbUYvRk5jd2cySG9aTTZqYUNqTC9LdkIKS1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner users: admin Vault user: admin [root@master test]# ipa vault-retrieve vchange --private-key-file=new-private.pem --out=/tmp/vchange.out ----------------------------------- Retrieved data from vault "vchange" ----------------------------------- [root@master test]# grep 123456 /tmp/vchange.out 123456 [root@master test]# [root@master test]# ##################################################################### [root@master test]# # fail to retrieve vault after changing keys with files [root@master test]# ##################################################################### [root@master test]# ipa vault-retrieve vchange --private-key-file=private.pem --out=/tmp/vchange.out ipa: ERROR: Invalid credentials [root@master test]# [root@master test]# ##################################################################### [root@master test]# # change asymmetric to symmetric [root@master test]# ##################################################################### [root@master test]# ipa vault-mod vchange --private-key-file=new-private.pem --new-password=12345 ------------------------ Modified vault "vchange" ------------------------ Vault name: vchange Type: symmetric Salt: XXFi6afUaVs92P/a7Upd5A== Owner users: admin Vault user: admin [root@master test]# ipa vault-retrieve vchange --password=12345 --out=/tmp/vchange.out ----------------------------------- Retrieved data from vault "vchange" ----------------------------------- [root@master test]# grep 123456 /tmp/vchange.out 123456 [root@master test]# [root@master test]# ##################################################################### [root@master test]# # fail to retrieve symmetric vault with previous assymmetric keys [root@master test]# ##################################################################### [root@master test]# expect -f - <<EOF > set timeout 30 > spawn ipa vault-retrieve vchange --private-key-file=new-private.pem --out=/tmp/vchange.out > expect "ssword:*" > send -- "\r" > expect eof > EOF spawn ipa vault-retrieve vchange --private-key-file=new-private.pem --out=/tmp/vchange.out Password: ipa: ERROR: Invalid credentials [root@master test]# [root@master test]# ##################################################################### [root@master test]# # change symmetric password with files [root@master test]# ##################################################################### [root@master test]# echo 12345 > oldpw [root@master test]# echo abcdefg > newpw [root@master test]# ipa vault-mod vchange --old-password-file=oldpw --new-password-file=newpw ------------------------ Modified vault "vchange" ------------------------ Vault name: vchange Type: symmetric Salt: 24OfUQvxVLUpF6yMZFjekg== Owner users: admin Vault user: admin [root@master test]# ipa vault-retrieve vchange --password-file=newpw --out=/tmp/vchange.out ----------------------------------- Retrieved data from vault "vchange" ----------------------------------- [root@master test]# grep 123456 /tmp/vchange.out 123456 [root@master test]# [root@master test]# ##################################################################### [root@master test]# # fail to retrieve vault after password change with files [root@master test]# ##################################################################### [root@master test]# ipa vault-retrieve vchange --password-file=oldpw --out=/tmp/vchange.out ipa: ERROR: Invalid credentials [root@master test]# [root@master test]# ##################################################################### [root@master test]# # change symmetric to standard [root@master test]# ##################################################################### [root@master test]# ipa vault-mod vchange --old-password=abcdefg --type standard ------------------------ Modified vault "vchange" ------------------------ Vault name: vchange Type: standard Owner users: admin Vault user: admin [root@master test]# ipa vault-retrieve vchange --out=/tmp/vchange.out ----------------------------------- Retrieved data from vault "vchange" ----------------------------------- [root@master test]# grep 123456 /tmp/vchange.out 123456 [root@master test]# [root@master test]# ##################################################################### [root@master test]# # change standard to asymmetric [root@master test]# ##################################################################### [root@master test]# ipa vault-mod vchange --type asymmetric --public-key="$PUBKEYBLOB" ------------------------ Modified vault "vchange" ------------------------ Vault name: vchange Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEwMjE2Z3Y1UEhLSGRjWTB1MWZPRwowU3Y0aHhJODFxbXQxU2w4WjZpM3F1K0IvaFUyVFhoN0RtcjlmUTRMSjBNNzlaZmk3UGdVM3FDTFdwVExuUnlkCitzaW96S2UzNzgxR0FCdVBpRVVqdW9KUnBNaUYxNGZZcXVSSmMwbUZ2NVcxTUoxUkxVcFM4OGEydTNqYnhLdDkKV29kM01qcTh0cWErSnpmTmhjWDVYNDFza3N6QjE3NnlUUHJ3V1JEZE1GZ0l5UFNVcE5HQWFCU3BaZDBPOHVpaQpweCt0UzdQSEhQZlg0Z1pwVzNOSy9RT0p2MmdiaUs5L1BtZGdDamg2eE5qaW13SW1NTnRPWXc5YjVNKzBMVlpvCm1NRy9Mb012VVluVUowcGE3MEZHdjlkQzdyV2FvVjFiWDRmVC85WVQ3RmJCS0FRT2RnbEJBQ3dWdkdQU1lOaXcKRlFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner users: admin Vault user: admin [root@master test]# ipa vault-retrieve vchange --private-key="$PRVKEYBLOB" --out=/tmp/vchange.out ----------------------------------- Retrieved data from vault "vchange" ----------------------------------- [root@master test]# grep 123456 /tmp/vchange.out 123456 [root@master test]# [root@master test]# ##################################################################### [root@master test]# # change asymmetric keys with blobs [root@master test]# ##################################################################### [root@master test]# ipa vault-mod vchange --private-key="$PRVKEYBLOB" --public-key="$NEWPUBKEYBLOB" ------------------------ Modified vault "vchange" ------------------------ Vault name: vchange Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4WmREMWNnRmpxaG02MDV4eU8xWApSUkE0NlpDZE1NYTdIWGg4UDVzT29vRldWaW03dXBwejZpbGR1ek93M3kyZlRBbWcxdWhtL0lZL05RY21Ta3NzCnM3Y1ZFVmZkWlZOcThZSUJkSUMxWVRleHo3RjNBOGU3aGNtZUhLMnUwOGVld0YvaTRHVytZU2Y1bjk4R2dQd3AKdmg3UnVEVzlOWHhQa1FnZmc3TGQ0YzNaRWZBaURsS3NxVmRZbXczVnJ3YjMvU0x6UUZUb21vY2d6c0JEM3BkegpmMjJiU0o2Mk1NZFZGbjkreWM3YkN2dWY4MzNmcDRlMWhndVJlTFpOZ3NTRTgxaUNRQ3c5dXNjRTVJbnpsUHlTCmsyS2lrWHRMOHplb04zYzMxazVsRGppaU14V25EMGN1SnVxRG92TlhsbUYvRk5jd2cySG9aTTZqYUNqTC9LdkIKS1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner users: admin Vault user: admin [root@master test]# ipa vault-retrieve vchange --private-key="$NEWPRVKEYBLOB" --out=/tmp/vchange.out ----------------------------------- Retrieved data from vault "vchange" ----------------------------------- [root@master test]# grep 123456 /tmp/vchange.out 123456 [root@master test]# [root@master test]# ##################################################################### [root@master test]# # fail to retrieve vault after changing keys with blobs [root@master test]# ##################################################################### [root@master test]# ipa vault-retrieve vchange --private-key="$PRVKEYBLOB" ipa: ERROR: Invalid credentials [root@master test]# [root@master test]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |