Bug 994472

This seems like a RHEL bug (why hasn't the default changed to at least sha1 or sha256?) if anything; mostly I would expect someone doing a network install to configure this themselves though. I'd recommend noting this in the install guide at most.

Agree with what Aj is saying.

(In reply to Anthony Towns from comment #1)
> This seems like a RHEL bug (why hasn't the default changed to at least sha1
> or sha256?) if anything; mostly I would expect someone doing a network
> install to configure this themselves though. I'd recommend noting this in
> the install guide at most.

Looks like this is not a RHEL bug . RHEL 6.4 now by default, sets the very strong 'SHA512' as hash algorithm for user password.

---------------------------------------------------------------------------

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.4 (Santiago)

# grep root /etc/shadow
root:$6$2ZsCr4oCmlUF6sb.$r2bELcCsINYj7TMkz/ys/YhqOhPlIUnmGDP9rfeW86MxvRoXK1lkUUfObEX4Df44QI2.CoGW0u1RV1b7eNQDk.:15929:0:99999:7:::

---------------------------------------------------------------------------

This looks more of a RH Satellite server bug, which sets the following by default in the kickstart file, thereby setting the hash algorithm to MD5 on the end system.

---------------------------------------------------------------------------

auth --enablemd5 --enableshadow 

---------------------------------------------------------------------------

A quick search did not reveal any BZ open on this for RH Satellite. I will search further for it, and if not found, will open a new BZ on it.

Proposed Solution
-----------------

1) So I believe that we need to document that, for RH Satellite based RHS installs, while creating the Kickstart Profile, the 'auth' field in the Kickstart Profile' at 'Kickstart Details-->Advanced Options' is recommended to be set to the one given below.

---------------------------------------------------------------------------

--enableshadow --passalgo=sha512

---------------------------------------------------------------------------

This will set the following directive in the kickstart file, thereby ensuring that the RHS system installed off this kickstart file will have as default, the very strong 'SHA512' as hash algorithm for user password

---------------------------------------------------------------------------

auth --enableshadow --passalgo=sha512

---------------------------------------------------------------------------

2) But there will still be an issue for the root password, which is being set directly using MD5 hash algorithm by default, in the Kickstart Profile, and thereby in the Kickstart file. Possibly case for another RH Satellite BZ ?

So we may also need to document that, for RH Satellite based RHS installs, it is recommended that, the root password may either be reset after RHS installation, or the SHA512 hash algorithm based pre-prepared root password be put into the 'rootpw' field at 'Kickstart Details-->Advanced Options' of the Kickstart Profile.

Sayan and AJ, comments ?

(In reply to Rejy M Cyriac from comment #4)
> This looks more of a RH Satellite server bug, which sets the following by
> default in the kickstart file, thereby setting the hash algorithm to MD5 on
> the end system.
> auth --enablemd5 --enableshadow 

Aha, good catch. This looks like it's already fixed in Satellite 5.5 though?

https://access.redhat.com/site/solutions/31832
https://bugzilla.redhat.com/show_bug.cgi?id=879332

(In reply to Anthony Towns from comment #5)
> (In reply to Rejy M Cyriac from comment #4)
> > This looks more of a RH Satellite server bug, which sets the following by
> > default in the kickstart file, thereby setting the hash algorithm to MD5 on
> > the end system.
> > auth --enablemd5 --enableshadow 
> 
> Aha, good catch. This looks like it's already fixed in Satellite 5.5 though?
> 
> https://access.redhat.com/site/solutions/31832
> https://bugzilla.redhat.com/show_bug.cgi?id=879332

It appears that the BZ fixed a bug that caused a rehash to MD5, of the pre-prepared SHA512 password supplied using the API 'kickstart.profile.setAdvancedOptions'

If you have a look at

https://bugzilla.redhat.com/show_bug.cgi?id=879332#c8

that explains the fix in a nutshell as :

-------------------------------------------------------

verified that kickstart.profile.setAdvancedOptions:

  * won't rehash supplied password (supplied in "rootpw")
    if "md5_crypt_rootpw" is not set to value that can be
    converted to java Boolean.
  * will rehash supplied password if md5_crypt_rootpw is
    set to e.g. "True".

-------------------------------------------------------

It looks like the default of MD5 hash was not changed, so as not to break support for pre-RHEL 6 systems installs.

(In reply to Rejy M Cyriac from comment #6)
> (In reply to Anthony Towns from comment #5)
> > (In reply to Rejy M Cyriac from comment #4)
> > > This looks more of a RH Satellite server bug, which sets the following by
> > > default in the kickstart file, thereby setting the hash algorithm to MD5 on
> > > the end system.
> > > auth --enablemd5 --enableshadow 
> > 
> > Aha, good catch. This looks like it's already fixed in Satellite 5.5 though?
> > 
> > https://access.redhat.com/site/solutions/31832
> > https://bugzilla.redhat.com/show_bug.cgi?id=879332
> 
> It appears that the BZ fixed a bug that caused a rehash to MD5, of the
> pre-prepared SHA512 password supplied using the API
> 'kickstart.profile.setAdvancedOptions'
> 
> If you have a look at
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=879332#c8
> 
> that explains the fix in a nutshell as :
> 
> -------------------------------------------------------
> 
> verified that kickstart.profile.setAdvancedOptions:
> 
>   * won't rehash supplied password (supplied in "rootpw")
>     if "md5_crypt_rootpw" is not set to value that can be
>     converted to java Boolean.
>   * will rehash supplied password if md5_crypt_rootpw is
>     set to e.g. "True".
> 
> -------------------------------------------------------
> 
> It looks like the default of MD5 hash was not changed, so as not to break
> support for pre-RHEL 6 systems installs.

And it is because of the existence of the fix that we are able to do the second part of Step 2 in my proposed solution in Comment 4 - 

"...or the SHA512 hash algorithm based pre-prepared root password be put into the 'rootpw' field at 'Kickstart Details-->Advanced Options' of the Kickstart Profile."

Hi Rejy,

Based on our discussion, the information is added as "Important" in section 4.3 Installing from Red Hat Satellite server, under "Creating a Kickstart Profile".

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Storage/2.1/pdf/Installation_Guide/Red_Hat_Storage-2.1-Installation_Guide-en-US.pdf

(In reply to Bhavana from comment #8)
> Hi Rejy,
> 
> Based on our discussion, the information is added as "Important" in section
> 4.3 Installing from Red Hat Satellite server, under "Creating a Kickstart
> Profile".
> 
> http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Storage/
> 2.1/pdf/Installation_Guide/Red_Hat_Storage-2.1-Installation_Guide-en-US.pdf

Not able to access the provided URL. Hosting server seems to be not reachable.

If issue is not immediately resolvable, please attach relevant part of document to this BZ for verification.

Cheers,

rejy (rmc)

Hi Rejy,

The staging server is now up.

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Storage/2.1/html/Installation_Guide/sect-Installation_Guide-Install_RHS-from_Satellite_server.html

Thanks,
Bhavana

Looks good, verified.

This doc bug was fixed and verified against Red Hat Storage 2.1 enhancement and bug fix update (https://rhn.redhat.com/errata/RHBA-2013-1262.html) released 2013-09-16.  Moving bug to CLOSED - CURRENT RELEASE.