Bug 1398701
Summary: | [sssd-secrets] https proxy talks plain http | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> | ||||
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||
Status: | CLOSED ERRATA | QA Contact: | Amith <apeetham> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.3 | CC: | cheimes, grajaiya, jhrozek, lslebodn, mkosek, mniranja, mzidek, nsoman, pbrezina, sgoveas | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | sssd-1.15.2-8.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-08-01 09:02:33 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1403214 | ||||||
Bug Blocks: | 1399979 | ||||||
Attachments: |
|
Description
Jakub Hrozek
2016-11-25 15:57:21 UTC
master: 13d720de13e490850c1139eea865bcd5195a2630 db826f57b4c2ee814823057cc536386889f7aa1d af026ea6a6e812b7d6c5c889dda64ba7b7c433ee 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 06744bf5a47d5971a338281c8243b11cf72dac90 df99d709c8cbef3c378c111944d83b7345e4c1ea 793f2573b2beaf8b48eab850429482acf68ec2b1 6698d40512e55e7c2d03e14c227c51b1edc77ffa ae6b11229d9961e26922918183c7c1de7780b8d6 d1ed11fc50922aab2332758a9300f3fbf814f112 c2ea75da72b426d98ba489039e220d417bfb4c2a 886e0f75e6f4c7877a23a3625f8a20c09109b09d 36e49a842e257ac9bde71728ee3bef4299b6e6e2 b800a6d09244359959404aca81c6796a58cafbcb 300b9e9217ee1ed8d845ed2370c5ccf5c87afb36 Versions Red Hat Enterprise Linux Server release 7.4 Beta (Maipo) custodia-0.3.1-2.el7.noarch python-custodia-0.3.1-2.el7.noarch sssd-common-pac-1.15.2-29.el7.x86_64 sssd-winbind-idmap-1.15.2-25.el7.x86_64 sssd-client-1.15.2-29.el7.x86_64 sssd-krb5-common-1.15.2-29.el7.x86_64 sssd-krb5-1.15.2-29.el7.x86_64 sssd-dbus-1.15.2-29.el7.x86_64 sssd-kcm-1.15.2-29.el7.x86_64 python-sssdconfig-1.15.2-29.el7.noarch sssd-common-1.15.2-29.el7.x86_64 sssd-ad-1.15.2-29.el7.x86_64 sssd-proxy-1.15.2-29.el7.x86_64 sssd-1.15.2-29.el7.x86_64 sssd-ipa-1.15.2-29.el7.x86_64 sssd-tools-1.15.2-29.el7.x86_64 sssd-libwbclient-1.15.2-25.el7.x86_64 sssd-ldap-1.15.2-29.el7.x86_64 Custodia Config =============== [DEFAULT] libdir = /var/lib/custodia logdir = /var/log/custodia rundir = /var/run/custodia [global] debug = true server_url = https://idm1.example.test:443 auditlog = ${logdir}/audit.log tls_certfile = /opt/mynss/server.pem tls_keyfile = /opt/mynss/server.key tls_cafile = /opt/mynss/cacert.pem tls_verify_client = False # Accepts any request that specifies an arbitrary REMOTE_USER header [auth:header] handler = custodia.httpd.authenticators.SimpleHeaderAuth header = MYSECRETNAME value = mysecretkey # Allow requests for all paths under '/' and '/secrets/' [authz:paths] handler = SimplePathAuthz paths = / /secrets/ # Store secrets in a sqlite database called quick.db in the table 'secrets' [store:quick] handler = SqliteStore dburi = ${libdir}/quick.db table = secrets # Serve starting from '/' and using the 'quick' store and the 'Root' handler [/] handler = Root store = quick sssd config ========== [sssd] domains = EXAMPLE.TEST config_file_version = 2 services = nss, pam, ifp [domain/EXAMPLE.TEST] enumerate = false id_provider = ldap ldap_uri = ldap://idm1.example.test ldap_search_base = dc=example,dc=test ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem auth_provider = krb5 krb5_server = idm1.example.test krb5_kpasswd = idm1.example.test krb5_realm = EXAMPLE.TEST debug_level = 9 cache_credentials = True krb5_store_password_if_offline = True [nss] debug_level = 9 [pam] debug_level = 9 offline_credentials_expiration = 0 [nss] debug_level = 9 [pam] debug_level = 9 offline_credentials_expiration = 0 [secrets] debug_level = 9 [kcm] debug_level = 9 [secrets/users/14583100] provider = proxy proxy_url = https://idm1.example.test/secrets/ cacert = /opt/mynss/cacert.pem cert = /opt/mynss/server.pem key = /opt/mynss/server.key verify_peer = False auth_type = header auth_header_name = MYSECRETNAME auth_header_value = mysecretkey 1. Configure RHEL7.4 host to auth to kerberos with lookup from ldap 2. Configure a sub-scection in sssd.conf for user foo0 with id 14583100 as shown above 3. Login as user foo0 4. From another terminal run tcpdump to capture packets on port 443 $ tcpdump -s0 -w /tmp/custodia.pcap -i lo port 443 5. Create a Container foobar2 using curl curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XPOST http://localhost/secrets/foobar2/ 6. Save a password curl -H "Content-Type: application/octet-stream" --unix-socket /var/run/secrets.socket -XPUT http://localhost/secrets/foobar2/mailPassword -d 'Secret123' 7. Get the details of the container foobar2 curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foobar2/ ["mailPassword"] 8. Get the details of the key mailPassword curl -H "Content-Type: application/octet-stream" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foobar2/mailPassword {"type":"simple","value":"U2VjcmV0MTIz"}[foo0@idm1 ~]$ 9. sssd_secrets logs show below output: (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_request_send] (0x0400): Sending TCURL request for https://idm1.example.test/secrets//foobar2/mailPassword, at socket <none> (Sat May 20 13:38:54 2017) [sssd[secrets]] [schedule_fd_processing] (0x2000): timeout_ms: 1 (Sat May 20 13:38:54 2017) [sssd[secrets]] [handle_socket] (0x2000): Activity on curl socket 13 socket data (nil) (Sat May 20 13:38:54 2017) [sssd[secrets]] [schedule_fd_processing] (0x2000): timeout_ms: 4999 (Sat May 20 13:38:54 2017) [sssd[secrets]] [check_curl_timeouts] (0x4000): Still tracking 1 outstanding requests (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): ---> begin libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): HTTP/1.0 200 OK (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <--- end libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): ---> begin libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): Server: Custodia/0.1 (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <--- end libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): ---> begin libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): Date: Sat, 20 May 2017 08:08:54 GMT (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <--- end libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): ---> begin libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): Content-Length: 40 (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <--- end libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): ---> begin libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): Content-Type: application/json; charset=utf-8 (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <--- end libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): ---> begin libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <--- end libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): ---> begin libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): {"type":"simple","value":"U2VjcmV0MTIz"} (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <--- end libcurl data (Sat May 20 13:38:54 2017) [sssd[secrets]] [handle_socket] (0x2000): Activity on curl socket 13 socket data 0x7f7aa5fcd020 (Sat May 20 13:38:54 2017) [sssd[secrets]] [handle_curlmsg_done] (0x0400): Handled https://idm1.example.test/secrets//foobar2/mailPassword (Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_request_done] (0x0400): TCURL request finished [0]: Success (Sat May 20 13:38:54 2017) [sssd[secrets]] [schedule_fd_processing] (0x2000): timeout_ms: -1 (Sat May 20 13:38:54 2017) [sssd[secrets]] [check_curl_timeouts] (0x4000): Still tracking 0 outstanding requests (Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_http_reply_iobuf] (0x1000): HTTP reply 200 (Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_provider_recv] (0x2000): Request finished (Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_http_request_pipeline_done] (0x2000): sec request done (Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_send_data] (0x2000): sent 185 bytes, 0 bytes remaining (Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_recv] (0x4000): Client closed connection. (Sat May 20 13:38:54 2017) [sssd[secrets]] [client_close_fn] (0x2000): Terminated client [0x7f7aa5ef8b80][12] Tcpdump output: ============== Transmission Control Protocol, Src Port: 443 (443), Dst Port: 42468 (42468), Seq: 1, Ack: 192, Len: 2163 Source port: 443 (443) Destination port: 42468 (42468) [Stream index: 0] Sequence number: 1 (relative sequence number) [Next sequence number: 2164 (relative sequence number)] Acknowledgment number: 192 (relative ack number) Header length: 32 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 350 [Calculated window size: 44800] [Window size scaling factor: 128] Checksum: 0x7e63 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 247537721, TSecr 247537720 Kind: Timestamp (8) Length: 10 Timestamp value: 247537721 Timestamp echo reply: 247537720 [SEQ/ACK analysis] [Bytes in flight: 2163] [TCP Analysis Flags] [This frame ACKs a segment we have not seen] [Expert Info (Warn/Sequence): ACKed segment that wasn't captured (common at capture start)] [Message: ACKed segment that wasn't captured (common at capture start)] [Severity level: Warn] [Group: Sequence] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 89 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 85 Version: TLS 1.2 (0x0303) Random gmt_unix_time: Dec 17, 2073 19:34:39.000000000 IST random_bytes: 3708e4f9ac4c64cc08cc1711ba1d52fe4669ee43bf4adc26... Session ID Length: 32 Session ID: d719eba89b47ec91a336ebe6d1dc211d6c4338f25b1a5173... Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Compression Method: null (0) Extensions Length: 13 Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 1717 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1713 Certificates Length: 1710 Certificates (1710 bytes) Certificate Length: 871 Certificate (id-at-commonName=idm1.example.test,id-at-organizationName=IDMQE,id-at-localityName=Pune,id-at-stateOrProvinceName=Maharashtra,id-at-countryName=IN) signedCertificate version: v3 (2) serialNumber: 2851820452 signature (sha256WithRSAEncryption) Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption) issuer: rdnSequence (0) ... <Certificate exchange> TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 333 Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 329 EC Diffie-Hellman Server Params curve_type: named_curve (0x03) named_curve: secp256r1 (0x0017) Pubkey Length: 65 pubkey: 04ad89c01d992c3b59ccc5a0986abb89de17cbe2d2e01cd6... Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Length: 256 signature: 4863bc69e6943b757633217e8cdff4b84445672abe2c414a... TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 Created attachment 1280585 [details]
tcpdump output (ascii)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |