Bug 994472
Summary: | Difference in hash algorithm used for user password, on Red Hat Storage (RHS) systems installed from ISO, and from Red Hat (RH) Satellite server | ||
---|---|---|---|
Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Rejy M Cyriac <rcyriac> |
Component: | doc-Installation_Guide | Assignee: | Bhavana <bmohanra> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Rejy M Cyriac <rcyriac> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 2.1 | CC: | atowns, bmohanra, divya, mhideo, rhs-bugs, shaines, ssaha, storage-doc, vraman |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-10 21:12:20 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 902791, 961959 |
Description
Rejy M Cyriac
2013-08-07 11:06:08 UTC
This seems like a RHEL bug (why hasn't the default changed to at least sha1 or sha256?) if anything; mostly I would expect someone doing a network install to configure this themselves though. I'd recommend noting this in the install guide at most. Agree with what Aj is saying. (In reply to Anthony Towns from comment #1) > This seems like a RHEL bug (why hasn't the default changed to at least sha1 > or sha256?) if anything; mostly I would expect someone doing a network > install to configure this themselves though. I'd recommend noting this in > the install guide at most. Looks like this is not a RHEL bug . RHEL 6.4 now by default, sets the very strong 'SHA512' as hash algorithm for user password. --------------------------------------------------------------------------- # cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.4 (Santiago) # grep root /etc/shadow root:$6$2ZsCr4oCmlUF6sb.$r2bELcCsINYj7TMkz/ys/YhqOhPlIUnmGDP9rfeW86MxvRoXK1lkUUfObEX4Df44QI2.CoGW0u1RV1b7eNQDk.:15929:0:99999:7::: --------------------------------------------------------------------------- This looks more of a RH Satellite server bug, which sets the following by default in the kickstart file, thereby setting the hash algorithm to MD5 on the end system. --------------------------------------------------------------------------- auth --enablemd5 --enableshadow --------------------------------------------------------------------------- A quick search did not reveal any BZ open on this for RH Satellite. I will search further for it, and if not found, will open a new BZ on it. Proposed Solution ----------------- 1) So I believe that we need to document that, for RH Satellite based RHS installs, while creating the Kickstart Profile, the 'auth' field in the Kickstart Profile' at 'Kickstart Details-->Advanced Options' is recommended to be set to the one given below. --------------------------------------------------------------------------- --enableshadow --passalgo=sha512 --------------------------------------------------------------------------- This will set the following directive in the kickstart file, thereby ensuring that the RHS system installed off this kickstart file will have as default, the very strong 'SHA512' as hash algorithm for user password --------------------------------------------------------------------------- auth --enableshadow --passalgo=sha512 --------------------------------------------------------------------------- 2) But there will still be an issue for the root password, which is being set directly using MD5 hash algorithm by default, in the Kickstart Profile, and thereby in the Kickstart file. Possibly case for another RH Satellite BZ ? So we may also need to document that, for RH Satellite based RHS installs, it is recommended that, the root password may either be reset after RHS installation, or the SHA512 hash algorithm based pre-prepared root password be put into the 'rootpw' field at 'Kickstart Details-->Advanced Options' of the Kickstart Profile. Sayan and AJ, comments ? (In reply to Rejy M Cyriac from comment #4) > This looks more of a RH Satellite server bug, which sets the following by > default in the kickstart file, thereby setting the hash algorithm to MD5 on > the end system. > auth --enablemd5 --enableshadow Aha, good catch. This looks like it's already fixed in Satellite 5.5 though? https://access.redhat.com/site/solutions/31832 https://bugzilla.redhat.com/show_bug.cgi?id=879332 (In reply to Anthony Towns from comment #5) > (In reply to Rejy M Cyriac from comment #4) > > This looks more of a RH Satellite server bug, which sets the following by > > default in the kickstart file, thereby setting the hash algorithm to MD5 on > > the end system. > > auth --enablemd5 --enableshadow > > Aha, good catch. This looks like it's already fixed in Satellite 5.5 though? > > https://access.redhat.com/site/solutions/31832 > https://bugzilla.redhat.com/show_bug.cgi?id=879332 It appears that the BZ fixed a bug that caused a rehash to MD5, of the pre-prepared SHA512 password supplied using the API 'kickstart.profile.setAdvancedOptions' If you have a look at https://bugzilla.redhat.com/show_bug.cgi?id=879332#c8 that explains the fix in a nutshell as : ------------------------------------------------------- verified that kickstart.profile.setAdvancedOptions: * won't rehash supplied password (supplied in "rootpw") if "md5_crypt_rootpw" is not set to value that can be converted to java Boolean. * will rehash supplied password if md5_crypt_rootpw is set to e.g. "True". ------------------------------------------------------- It looks like the default of MD5 hash was not changed, so as not to break support for pre-RHEL 6 systems installs. (In reply to Rejy M Cyriac from comment #6) > (In reply to Anthony Towns from comment #5) > > (In reply to Rejy M Cyriac from comment #4) > > > This looks more of a RH Satellite server bug, which sets the following by > > > default in the kickstart file, thereby setting the hash algorithm to MD5 on > > > the end system. > > > auth --enablemd5 --enableshadow > > > > Aha, good catch. This looks like it's already fixed in Satellite 5.5 though? > > > > https://access.redhat.com/site/solutions/31832 > > https://bugzilla.redhat.com/show_bug.cgi?id=879332 > > It appears that the BZ fixed a bug that caused a rehash to MD5, of the > pre-prepared SHA512 password supplied using the API > 'kickstart.profile.setAdvancedOptions' > > If you have a look at > > https://bugzilla.redhat.com/show_bug.cgi?id=879332#c8 > > that explains the fix in a nutshell as : > > ------------------------------------------------------- > > verified that kickstart.profile.setAdvancedOptions: > > * won't rehash supplied password (supplied in "rootpw") > if "md5_crypt_rootpw" is not set to value that can be > converted to java Boolean. > * will rehash supplied password if md5_crypt_rootpw is > set to e.g. "True". > > ------------------------------------------------------- > > It looks like the default of MD5 hash was not changed, so as not to break > support for pre-RHEL 6 systems installs. And it is because of the existence of the fix that we are able to do the second part of Step 2 in my proposed solution in Comment 4 - "...or the SHA512 hash algorithm based pre-prepared root password be put into the 'rootpw' field at 'Kickstart Details-->Advanced Options' of the Kickstart Profile." Hi Rejy, Based on our discussion, the information is added as "Important" in section 4.3 Installing from Red Hat Satellite server, under "Creating a Kickstart Profile". http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Storage/2.1/pdf/Installation_Guide/Red_Hat_Storage-2.1-Installation_Guide-en-US.pdf (In reply to Bhavana from comment #8) > Hi Rejy, > > Based on our discussion, the information is added as "Important" in section > 4.3 Installing from Red Hat Satellite server, under "Creating a Kickstart > Profile". > > http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Storage/ > 2.1/pdf/Installation_Guide/Red_Hat_Storage-2.1-Installation_Guide-en-US.pdf Not able to access the provided URL. Hosting server seems to be not reachable. If issue is not immediately resolvable, please attach relevant part of document to this BZ for verification. Cheers, rejy (rmc) Hi Rejy, The staging server is now up. http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Storage/2.1/html/Installation_Guide/sect-Installation_Guide-Install_RHS-from_Satellite_server.html Thanks, Bhavana Looks good, verified. This doc bug was fixed and verified against Red Hat Storage 2.1 enhancement and bug fix update (https://rhn.redhat.com/errata/RHBA-2013-1262.html) released 2013-09-16. Moving bug to CLOSED - CURRENT RELEASE. |