Bug 1452668
| Summary: | [downstream clone - 4.1.4] [RFE] possibility to enter encrypted passwords in --password option | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | rhev-integ |
| Component: | ovirt-engine-extension-aaa-jdbc | Assignee: | Miroslava Voglova <mvoglova> |
| Status: | CLOSED ERRATA | QA Contact: | Lucie Leistnerova <lleistne> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.6.6 | CC: | apinnick, bgraveno, bugs, lleistne, michal.skrivanek, mperina, mvoglova, oourfali |
| Target Milestone: | ovirt-4.1.4 | Keywords: | FutureFeature, Rebase, ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.1.6 | Doc Type: | Enhancement |
| Doc Text: |
Previously, administrators had to enter an unencrypted password when invoking 'ovirt-aaa-jdbc-tool user password-reset'. The password was then encrypted inside ovirt-aaa-jdbc-tool and stored in the database.
This update enables administrators to use the new --encrypted option to enter an already encrypted password when invoking 'ovirt-aaa-jdbc-tool user password-reset'.
However there are some caveats when providing encrypted passwords:
1. Entering an encrypted password means that password validity tests cannot be performed, so they are skipped and the password is accepted even if it does not comply with the password validation policy.
2. A password has to be encrypted using the same configured algorithm. To encrypt passwords, administrators can use the '/usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh' tool, which provides the 'pbe-encode' command to encrypt passwords using the default PBKDF2WithHmacSHA1 algorithm.
|
Story Points: | --- |
| Clone Of: | 1389673 | Environment: | |
| Last Closed: | 2017-07-27 18:04:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1389673 | ||
| Bug Blocks: | 1486740 | ||
|
Comment 4
Lucie Leistnerova
2017-06-06 13:17:54 UTC
Fix will be included in ovirt-engine-extension-aaa-jdbc 1.1.6 " ...otherwise the user will not be able to login because tests cannot be performed to correct the encryption algorithm that was used... " This part of doc text is not correct anymore. There is way to check if proper encryption algorithm was used. So administrator will be informed that he uses wrong algorithm and users password will not be altered. I suggest to just omit this part from doc text. So it will look like this: "A password has to be encrypted using the same configured algorithm. To encrypt passwords, administrators can use the '/usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh' tool, which provides the 'pbe-encode' command to encrypt passwords using the default PBKDF2WithHmacSHA1 algorithm." Thanks Miroslava. I implemented the suggestion. Moving the bug to 4.1.4, because by mistake as a part of 4.1.3 aaa-jdbc 1.1.5 was delivered and this release contains fix for the bug which failed QA. Complete fix is included in aaa-jdbc 1.1.6, so it's worth to release asap Now is not possible to set bad encrypted password, error is written (even with --force). verified in ovirt-engine-extension-aaa-jdbc-1.1.6-1.el7ev.noarch, ovirt-engine-4.1.4.1-0.1.el7.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1818 (In reply to Miroslava Voglova from comment #6) > " ...otherwise the user will not be able to login because tests cannot be > performed to correct the encryption algorithm that was used... " > This part of doc text is not correct anymore. There is way to check if > proper encryption algorithm was used. So administrator will be informed that > he uses wrong algorithm and users password will not be altered. > > I suggest to just omit this part from doc text. So it will look like this: > > "A password has to be encrypted using the same configured algorithm. To > encrypt passwords, administrators can use the > '/usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh' tool, which > provides the 'pbe-encode' command to encrypt passwords using the default > PBKDF2WithHmacSHA1 algorithm." Miroslava, I am trying to document this in the Admin guide (https://bugzilla.redhat.com/show_bug.cgi?id=1486740). Should we provide instructions for using the ovirt-engine-crypto-tool.sh tool? I ran the script but couldn't figure out what kind of input it required. Does the admin need to know how to use this tool? (In reply to Avital Pinnick from comment #14) > Miroslava, I am trying to document this in the Admin guide > (https://bugzilla.redhat.com/show_bug.cgi?id=1486740). > > Should we provide instructions for using the ovirt-engine-crypto-tool.sh > tool? I ran the script but couldn't figure out what kind of input it > required. Does the admin need to know how to use this tool? Admin should be able to use this crypto-tool for acquiring encrypted password, if he wants to use the --encrypted option. So we should provide instructions for using it, but I would limit these instructions only for pbe-encode command, AFAIK other commands don't work properly. Help message: /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode [options] Options: --algorithm=[ALGORITHM] PBE algorithm, default: PBKDF2WithHmacSHA1 --help Show help. --iterations=[NUMBER] Number of iterations, default: 4000 --key-size=[NUMBER] Key size, default: 256 --password=[PASSWORD] Password can be specified in one of the following format: interactive: - query password interactively [default]. pass:STRING - provide a password as STRING. env:KEY - provide a password using environment KEY. file:FILE - provide a password as 1st line of FILE. All options have default values, so they don't have to be specified. Input for this tool is password that you want to encode. Password can be passed interactively, as string in password option, in some environment variable or inside some file. (In reply to Miroslava Voglova from comment #15) > (In reply to Avital Pinnick from comment #14) > > Miroslava, I am trying to document this in the Admin guide > > (https://bugzilla.redhat.com/show_bug.cgi?id=1486740). > > > > Should we provide instructions for using the ovirt-engine-crypto-tool.sh > > tool? I ran the script but couldn't figure out what kind of input it > > required. Does the admin need to know how to use this tool? > > Admin should be able to use this crypto-tool for acquiring encrypted > password, if he wants to use the --encrypted option. So we should provide > instructions for using it, but I would limit these instructions only for > pbe-encode command, AFAIK other commands don't work properly. > > Help message: > > /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode [options] > > Options: > --algorithm=[ALGORITHM] > PBE algorithm, default: PBKDF2WithHmacSHA1 > > --help > Show help. > > --iterations=[NUMBER] > Number of iterations, default: 4000 > > --key-size=[NUMBER] > Key size, default: 256 > > --password=[PASSWORD] > Password can be specified in one of the following format: > interactive: - query password interactively [default]. > pass:STRING - provide a password as STRING. > env:KEY - provide a password using environment KEY. > file:FILE - provide a password as 1st line of FILE. > > > All options have default values, so they don't have to be specified. > Input for this tool is password that you want to encode. Password can be > passed interactively, as string in password option, in some environment > variable or inside some file. OK. I'll just document the --password= option. Thanks! |