Bug 161099
Summary: | admin passwd in clear text in adm.conf | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Directory Server | Reporter: | To Ngan <tngan> | ||||||||||||||||||||||||||
Component: | Admin | Assignee: | Noriko Hosoi <nhosoi> | ||||||||||||||||||||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||||||||||||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||||||||||||||||
Priority: | medium | ||||||||||||||||||||||||||||
Version: | 7.1 | CC: | nhosoi, nkinder, rcritten, rmeggins | ||||||||||||||||||||||||||
Target Milestone: | DS8.0 | ||||||||||||||||||||||||||||
Target Release: | --- | ||||||||||||||||||||||||||||
Hardware: | All | ||||||||||||||||||||||||||||
OS: | Linux | ||||||||||||||||||||||||||||
Whiteboard: | |||||||||||||||||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||||||||||||||
Clone Of: | Environment: | ||||||||||||||||||||||||||||
Last Closed: | 2016-05-06 14:37:50 UTC | Type: | --- | ||||||||||||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||||||||
Embargoed: | |||||||||||||||||||||||||||||
Bug Depends On: | |||||||||||||||||||||||||||||
Bug Blocks: | 152373, 240316 | ||||||||||||||||||||||||||||
Attachments: |
|
Description
To Ngan
2005-06-20 15:47:43 UTC
Can we open this bug? There are a couple of people on the Fedora DS list who would like to track it. Alternately, I can dup this bug as an FDS bug. Created attachment 128333 [details]
cvs diffs
Files:
modified:
include/libadminutil/admutil.h
lib/libadminutil/Makefile
lib/libadminutil/admutil.c
lib/libadminutil/admutil_pvt.h
lib/libadmsslutil/Makefile
new:
lib/libadminutil/admutil_enc.c
Change description:
1) Introduced admutil_encryption and _decryption
2) In the function admldapBuildInfoCbk, which reads from adm.conf and set the
info to the internal structure: admInfo. In the function, if the admin
password siepid is encrypted, decript it and use it to authenticate with the
config directory server. If siepid value is not encrypted, encrypt it and
update adm.conf.
Sample adm.conf:
===================================
ldapHost: laputa.sfbay.redhat.com
ldapPort: 55555
sie: cn=admin-serv-laputa, cn=Red Hat Administration Server, cn=Server Group,
cn=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot
siepid: {crypt}xX1B0anmsDjPyL2MDnQvAw==
isie: cn=Red Hat Administration Server, cn=Server Group,
cn=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot
port: 55550
ldapStart: slapd-laputa/start-slapd
===================================
As described above, if a user replace "siepid: ..." with the right clear text
password, it still works. And it's encrypted in the next start-admin.
admin-serv/config dir now has these db files. (I believe only key3.db is being
used.)
$ ls admin-serv/config/*db
admin-serv/config/cert8.db admin-serv/config/secmod.db
admin-serv/config/key3.db
Note: the previous changes are made to AdminUtil. Created attachment 128334 [details]
cvs diffs (adminserver)
Files:
nsconfig.mk
admserv/pkgadmin.mk
admserv/cgi-src40/download.c
admserv/newinst/insadm/config.c
admserv/newinst/src/Makefile
admserv/newinst/src/ux-config.cc
admserv/newinst/src/ux-config.h
admserv/newinst/src/ux-remove.cc
admserv/newinst/src/ux-update.cc
Change description:
1) To run pre install program ns-config, set rpath "lib" to the program, and
have dependent shared libraries in <date>/<platform>/admin/lib:
libadminutil.so* libicui18n.so.34 libplc4.so* libsoftokn3.so*
libadmsslutil.so* libicuuc.so.34 libplds4.so* libssl3.so*
libfreebl3.chk libldap50.so* libprldap50.so* libssldap50.so*
libfreebl3.so* libnspr4.so* libsmime3.so*
libicudata.so.34 libnss3.so* libsoftokn3.chk
2) If pre install ns-config finds encrypted password in adm.conf, decrypts it
before sending it to the config directory server.
3) Post install ns-update decrypts the admin password and stores it in
adm.conf.
misc) download.c had buffer size problem which was causing the cgi crash.
Created attachment 128335 [details]
cvs diffs (ldapserver)
Files:
ldap/clients/dsgw/Makefile
Change description:
1) Add a dependency on NSS to DSGW build.
misc) Pick up new vewsion of WinSync.
Comment #2 - #5 were cancelled based upon the team discussion: New implementation: When the admin server needs the configuration info, instead of asking for the Directory Server, get it from the local cache file (local.conf). Only when the configuration needs to be updated, accessing DS happens. At that time, the admin password is provided by the user and it can be used to get authenticated on the Directory Server. This way, we eliminate the admin password (siepid) from adm.conf. Created attachment 128637 [details]
cvs diffs (adminutil)
Files:
include/libadminutil/admutil.h
lib/libadminutil/Makefile
lib/libadminutil/admutil.c
lib/libadminutil/admutil_pvt.h
lib/libadminutil/psetc.c
lib/libadminutil/uginfo.c
lib/libadmsslutil/Makefile
lib/libadmsslutil/psetcssl.c
Change description:
1) sie password is no longer stored in adm.conf. Instead, get it from client
via PIPE.
2) added subordinate functions: admldapGetXXX to retrieve ldap handle,
directory URL, and userDN.
3) updated Makefiles to clean up the old files from the previous make.
Created attachment 128638 [details]
cvs diff (mod_admserv)
File:
mod_admserv.c
Change description:
Check if ldap handle is set in the admin ldap info structure (AdmldapInfo).
If it is not set, the Admin Server does not have an admin user password / SIE
password, and it has not connected to the Directory Server. In this case,
gather neccessary info from the local cache.
Created attachment 128640 [details]
cvs diffs (adminserver)
Files:
admserv/cgi-src40/config.c
admserv/cgi-src40/download.c
admserv/cgi-src40/htmladmin.c
admserv/cgi-src40/sec-activate.c
admserv/newinst/insadm/config.c
admserv/newinst/src/Makefile
admserv/newinst/src/ux-config.cc
admserv/newinst/src/ux-remove.cc
admserv/newinst/src/ux-update.cc
Change description:
1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf.
And by calling psetCreate, it generates the local cache file local.conf in
the post install phase.
2) ns-update links with adminutil and its dependent components.
ns-update has RPATH pointing the components' location.
3) got rid of the code retrieving the admin password from adm.conf from
ns-config (ux-config.cc) and ns-remove (ux-remove.cc). Both has the info
input by the user.
4) some CGI debugs (download.c and htmladmin.c. most of the htmladmin.c change
is from Rich'es fix -- not checked in, yet. W/o the fix, cannot access to
the admin server from the browser...)
Created attachment 128828 [details]
cvs diffs (adminutil)
Files:
include/libadminutil/admutil.h
lib/libadminutil/Makefile
lib/libadminutil/admutil.c
lib/libadminutil/admutil_pvt.h
lib/libadminutil/psetc.c
lib/libadminutil/uginfo.c
lib/libadmsslutil/Makefile
lib/libadmsslutil/psetcssl.c
Change description:
1) sie password is no longer stored in adm.conf. Instead, get it from client
via PIPE.
2) added subordinate functions: admldapGetXXX to retrieve ldap handle,
directory URL, and userDN.
3) updated Makefiles to clean up the old files from the previous make.
4) increased the buffer size to read in the local cache files.
Created attachment 128829 [details]
cvs diff mod_admserv.c
File:
mod_admserv.c
Change description:
Change description:
1) In the initialization (mod_admserv_post_config), check if ldap handle is
set or not in the admin ldap info structure (AdmldapInfo). If it is not
set,
the Admin Server does not have an admin user password / SIE password, and
it has not connected to the Directory Server. In this case, gather
necessary info from the local cache.
Also, set the task StartConfigDS in the HashTable for the admin server to
start Config DS in case the server is down.
2) Where it expects sie password (from adm.conf), get it from PIPE that user
provided (if possible).
Created attachment 128830 [details]
cvs diffs (adminserver)
Files:
admserv/cgi-src40/download.c
admserv/cgi-src40/htmladmin.c
admserv/cgi-src40/sec-activate.c
admserv/newinst/insadm/config.c
admserv/newinst/src/Makefile
admserv/newinst/src/ux-config.cc
admserv/newinst/src/ux-remove.cc
admserv/newinst/src/ux-update.cc
Change description:
1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf.
And by calling psetCreate, it generates the local cache file local.conf in
the post install phase.
2) ns-update links with adminutil and its dependent components.
ns-update has RPATH pointing the components' location.
3) got rid of the code retrieving the admin password from adm.conf from
ns-config (ux-config.cc) and ns-remove (ux-remove.cc). Both has the info
input by the user.
4) some CGI debugs (download.c and htmladmin.c. Most of the htmladmin.c change
is from Rich'es fix -- not checked in, yet. W/o the fix, cannot access to
the admin server from the browser...)
Created attachment 128921 [details]
cvs commit message (adminutil)
Reviewed by Nathan and Rich. (Thank you!)
Created attachment 128922 [details]
cvs commit mod_admserv.c
Reviewed by Nathan and Rich. (Thank you!!)
Created attachment 128926 [details]
cvs commit message (adminserver)
Reviewed by Nathan and Rich. (Thank you!!!)
How to verify the bug. 1) install the DS7.2 2) $ grep -i siepid <server_root>/admin-serv/config/adm.conf If the commandline returns nothing, the bug had been fixed. DS7.2 is not a valid milestone anymore. Anything thats set to DS7.2 should be set to DS8.0. Will make further changes per bug council on 07/24/2007, after this. Verified. PASS Test machine: neo.dsdev.sjc.redhat.com (RHEL 32bit) & VM machine with Fedora 7 installed Test steps: please follow Noriko's comments. Test result: pass |