Bug 1257072

Summary: The "Standard Vault" MUST not be the default and must be discouraged
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: ksiddiqu, mbasti, mkosek, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-7.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:06:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2015-08-26 08:41:49 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5251

The current default for vaults is the standard vault.

The standard vault is a vault that can be acced by anyone that have access to the kra key and accessible by the framework directly.

The "standard  vault" is therefore not a good default as any admin can access it.

User's must take an actual explicit step to choose such a vault and they must be prominently warned that IPA administrator can access secrets stored in such a vault at any time.

The default vault should probably be the "symmetric vault".
Comment 1 Martin Bašti 2015-08-26 08:58:05 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/19dd2ed758210e859a5b0085de558cf13ba09104
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/e247babc1ad211f7c939029cfb57eb6f4fbd79ab
Comment 2 Martin Bašti 2015-08-26 12:05:28 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/9b0a01930bcefda1f37d7de147fed0856c28296f
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/91de475fd9d4499c05052e74bd2918569da4f269
Comment 3 Kaleem 2015-08-26 12:25:55 UTC 
Please provide steps to verify this.
Comment 4 Petr Vobornik 2015-08-26 12:32:41 UTC 
adding of vault without any option should not create standard vault. The default vault type should be symmetric symmetric:

Expected result:

$ ipa vault-add abc 
New password: 
Verify password: 
-----------------
Added vault "abc"
-----------------
  Vault name: abc
  Type: symmetric             <<< -------- OK
  Salt: LD/aKS7TKhD6HHmeqGRYdw==
  Owner users: admin
  Vault user: admin


Without this fix. The "Type:" would be "standard".
Comment 6 Scott Poore 2015-08-28 20:33:28 UTC 
Verified.

Version ::

ipa-server-4.2.0-8.el7.x86_64

Results ::

[root@master ~]# ipa vault-add mynewtestvault
New password: 
Verify password: 
----------------------------
Added vault "mynewtestvault"
----------------------------
  Vault name: mynewtestvault
  Type: symmetric
  Salt: AAswXbtArUxxWCHiEKho/Q==
  Owner users: admin
  Vault user: admin
Comment 7 errata-xmlrpc 2015-11-19 12:06:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html