Bug 161099

Summary: admin passwd in clear text in adm.conf
Product: Red Hat Directory Server Reporter: To Ngan <tngan>
Component: AdminAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: nhosoi, nkinder, rcritten, rmeggins
Target Milestone: DS8.0   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-06 14:37:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152373, 240316    
Attachments:
Description Flags
cvs diffs
none
cvs diffs (adminserver)
none
cvs diffs (ldapserver)
none
cvs diffs (adminutil)
none
cvs diff (mod_admserv)
none
cvs diffs (adminserver)
none
cvs diffs (adminutil)
none
cvs diff mod_admserv.c
none
cvs diffs (adminserver)
none
cvs commit message (adminutil)
none
cvs commit mod_admserv.c
none
cvs commit message (adminserver) none

Description To Ngan 2005-06-20 15:47:43 UTC
Description of problem:
This issue is raised by jonesy on #fedora-ds
admin's passwd in the clear in admin-serv/config/adm.conf

Why is it there in clear text?  There's already an encrypted passwd stored in
admin-serv/config/admpw


I tried changing the sieid: line in adm.conf to some bogus passwd, upon admin
server restart, attempt to login to console fails with 500.  In admin error log
the error is saying "Unauthorized host".  It returned to normal after I changed
the sieid line back to the correct passwd and restarted admin server.  Weired.


Version-Release number of selected component (if applicable):
20050524.1

How reproducible:
Consistently

Comment 1 Rich Megginson 2006-04-12 14:00:16 UTC
Can we open this bug?  There are a couple of people on the Fedora DS list who
would like to track it.  Alternately, I can dup this bug as an FDS bug.

Comment 2 Noriko Hosoi 2006-04-28 00:35:19 UTC
Created attachment 128333 [details]
cvs diffs

Files:
 modified:
  include/libadminutil/admutil.h
  lib/libadminutil/Makefile
  lib/libadminutil/admutil.c
  lib/libadminutil/admutil_pvt.h
  lib/libadmsslutil/Makefile
 new:
  lib/libadminutil/admutil_enc.c

Change description:
1) Introduced admutil_encryption and _decryption
2) In the function admldapBuildInfoCbk, which reads from adm.conf and set the
   info to the internal structure: admInfo.  In the function, if the admin 
   password siepid is encrypted, decript it and use it to authenticate with the

   config directory server.  If siepid value is not encrypted, encrypt it and
   update adm.conf.

Sample adm.conf:
===================================
ldapHost:   laputa.sfbay.redhat.com
ldapPort:   55555
sie:   cn=admin-serv-laputa, cn=Red Hat Administration Server, cn=Server Group,
cn=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot
siepid:   {crypt}xX1B0anmsDjPyL2MDnQvAw==
isie:	cn=Red Hat Administration Server, cn=Server Group,
cn=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot
port:	55550
ldapStart:   slapd-laputa/start-slapd
===================================
As described above, if a user replace "siepid: ..." with the right clear text
password, it still works.  And it's encrypted in the next start-admin.

admin-serv/config dir now has these db files.  (I believe only key3.db is being

used.)
$ ls admin-serv/config/*db
admin-serv/config/cert8.db  admin-serv/config/secmod.db
admin-serv/config/key3.db

Comment 3 Noriko Hosoi 2006-04-28 00:37:19 UTC
Note: the previous changes are made to AdminUtil.

Comment 4 Noriko Hosoi 2006-04-28 00:50:27 UTC
Created attachment 128334 [details]
cvs diffs (adminserver)

Files:
  nsconfig.mk
  admserv/pkgadmin.mk
  admserv/cgi-src40/download.c
  admserv/newinst/insadm/config.c
  admserv/newinst/src/Makefile
  admserv/newinst/src/ux-config.cc
  admserv/newinst/src/ux-config.h
  admserv/newinst/src/ux-remove.cc
  admserv/newinst/src/ux-update.cc

Change description:
1) To run pre install program ns-config, set rpath "lib" to the program, and
   have dependent shared libraries in <date>/<platform>/admin/lib:
     libadminutil.so*	libicui18n.so.34  libplc4.so*	   libsoftokn3.so*
     libadmsslutil.so*	libicuuc.so.34	  libplds4.so*	   libssl3.so*
     libfreebl3.chk	libldap50.so*	  libprldap50.so*  libssldap50.so*
     libfreebl3.so*	libnspr4.so*	  libsmime3.so*
     libicudata.so.34	libnss3.so*	  libsoftokn3.chk
2) If pre install ns-config finds encrypted password in adm.conf, decrypts it
   before sending it to the config directory server.
3) Post install ns-update decrypts the admin password and stores it in
adm.conf.
misc) download.c had buffer size problem which was causing the cgi crash.

Comment 5 Noriko Hosoi 2006-04-28 00:57:56 UTC
Created attachment 128335 [details]
cvs diffs (ldapserver)

Files:
  ldap/clients/dsgw/Makefile

Change description:
1) Add a dependency on NSS to DSGW build.
misc) Pick up new vewsion of WinSync.

Comment 6 Noriko Hosoi 2006-05-04 22:19:17 UTC
Comment #2 - #5 were cancelled based upon the team discussion:

New implementation:
When the admin server needs the configuration info, instead of asking for the
Directory Server, get it from the local cache file (local.conf).  Only when the
configuration needs to be updated, accessing DS happens.  At that time, the
admin password is provided by the user and it can be used to get authenticated
on the Directory Server.  This way, we eliminate the admin password (siepid)
from adm.conf.

Comment 7 Noriko Hosoi 2006-05-04 22:37:18 UTC
Created attachment 128637 [details]
cvs diffs (adminutil)

Files:
  include/libadminutil/admutil.h
  lib/libadminutil/Makefile
  lib/libadminutil/admutil.c
  lib/libadminutil/admutil_pvt.h
  lib/libadminutil/psetc.c
  lib/libadminutil/uginfo.c
  lib/libadmsslutil/Makefile
  lib/libadmsslutil/psetcssl.c

Change description:
1) sie password is no longer stored in adm.conf.  Instead, get it from client
via PIPE.
2) added subordinate functions: admldapGetXXX to retrieve ldap handle,
directory URL, and userDN.
3) updated Makefiles to clean up the old files from the previous make.

Comment 8 Noriko Hosoi 2006-05-04 22:43:38 UTC
Created attachment 128638 [details]
cvs diff (mod_admserv)

File:
  mod_admserv.c

Change description:
Check if ldap handle is set in the admin ldap info structure (AdmldapInfo).
If it is not set, the Admin Server does not have an admin user password / SIE 
password, and it has not connected to the Directory Server.  In this case,
gather neccessary info from the local cache.

Comment 9 Noriko Hosoi 2006-05-04 22:57:30 UTC
Created attachment 128640 [details]
cvs diffs (adminserver)

Files:
  admserv/cgi-src40/config.c
  admserv/cgi-src40/download.c
  admserv/cgi-src40/htmladmin.c
  admserv/cgi-src40/sec-activate.c
  admserv/newinst/insadm/config.c
  admserv/newinst/src/Makefile
  admserv/newinst/src/ux-config.cc
  admserv/newinst/src/ux-remove.cc
  admserv/newinst/src/ux-update.cc

Change description:
1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf.
   And by calling psetCreate, it generates the local cache file local.conf in
   the post install phase.
2) ns-update links with adminutil and its dependent components.
   ns-update has RPATH pointing the components' location.
3) got rid of the code retrieving the admin password from adm.conf from 
   ns-config (ux-config.cc) and ns-remove (ux-remove.cc).  Both has the info 
   input by the user.
4) some CGI debugs (download.c and htmladmin.c.  most of the htmladmin.c change

   is from Rich'es fix -- not checked in, yet.	W/o the fix, cannot access to
   the admin server from the browser...)

Comment 10 Noriko Hosoi 2006-05-10 01:50:44 UTC
Created attachment 128828 [details]
cvs diffs (adminutil)

Files:
  include/libadminutil/admutil.h
  lib/libadminutil/Makefile
  lib/libadminutil/admutil.c
  lib/libadminutil/admutil_pvt.h
  lib/libadminutil/psetc.c
  lib/libadminutil/uginfo.c
  lib/libadmsslutil/Makefile
  lib/libadmsslutil/psetcssl.c

Change description:
1) sie password is no longer stored in adm.conf.  Instead, get it from client
via PIPE.
2) added subordinate functions: admldapGetXXX to retrieve ldap handle,
directory URL, and userDN.
3) updated Makefiles to clean up the old files from the previous make.
4) increased the buffer size to read in the local cache files.

Comment 11 Noriko Hosoi 2006-05-10 02:01:28 UTC
Created attachment 128829 [details]
cvs diff mod_admserv.c

File:
  mod_admserv.c

Change description:
Change description:
1) In the initialization (mod_admserv_post_config), check if ldap handle is
   set or not in the admin ldap info structure (AdmldapInfo).  If it is not
set,
   the Admin Server does not have an admin user password / SIE password, and
   it has not connected to the Directory Server.  In this case, gather
   necessary info from the local cache.
   Also, set the task StartConfigDS in the HashTable for the admin server to
   start Config DS in case the server is down.
2) Where it expects sie password (from adm.conf), get it from PIPE that user
   provided (if possible).

Comment 12 Noriko Hosoi 2006-05-10 02:04:49 UTC
Created attachment 128830 [details]
cvs diffs (adminserver)

Files:
  admserv/cgi-src40/download.c
  admserv/cgi-src40/htmladmin.c
  admserv/cgi-src40/sec-activate.c
  admserv/newinst/insadm/config.c
  admserv/newinst/src/Makefile
  admserv/newinst/src/ux-config.cc
  admserv/newinst/src/ux-remove.cc
  admserv/newinst/src/ux-update.cc

Change description:
1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf.
   And by calling psetCreate, it generates the local cache file local.conf in
   the post install phase.
2) ns-update links with adminutil and its dependent components.
   ns-update has RPATH pointing the components' location.
3) got rid of the code retrieving the admin password from adm.conf from 
   ns-config (ux-config.cc) and ns-remove (ux-remove.cc).  Both has the info 
   input by the user.
4) some CGI debugs (download.c and htmladmin.c. Most of the htmladmin.c change
   is from Rich'es fix -- not checked in, yet.	W/o the fix, cannot access to
   the admin server from the browser...)

Comment 13 Noriko Hosoi 2006-05-11 23:25:44 UTC
Created attachment 128921 [details]
cvs commit message (adminutil)

Reviewed by Nathan and Rich.  (Thank you!)

Comment 14 Noriko Hosoi 2006-05-11 23:47:42 UTC
Created attachment 128922 [details]
cvs commit mod_admserv.c

Reviewed by Nathan and Rich. (Thank you!!)

Comment 15 Noriko Hosoi 2006-05-12 00:36:12 UTC
Created attachment 128926 [details]
cvs commit message (adminserver)

Reviewed by Nathan and Rich.  (Thank you!!!)

Comment 17 Noriko Hosoi 2006-05-15 17:45:58 UTC
How to verify the bug.
1) install the DS7.2
2) $ grep -i siepid <server_root>/admin-serv/config/adm.conf
   If the commandline returns nothing, the bug had been fixed.

Comment 18 Chandrasekar Kannan 2007-07-25 19:01:26 UTC
DS7.2 is not a valid milestone anymore. Anything thats set to DS7.2 should be
set to DS8.0. Will make further changes per bug council on 07/24/2007, after this.

Comment 20 Yi Zhang 2007-12-04 00:59:39 UTC
Verified. PASS

Test machine: neo.dsdev.sjc.redhat.com (RHEL 32bit) & VM machine with Fedora 7
installed

Test steps: please follow Noriko's comments.
Test result: pass