1052257 – [RFE] Make default root password encryption be SHA256

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1052257 - [RFE] Make default root password encryption be SHA256

Summary: [RFE] Make default root password encryption be SHA256

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Provisioning
Sub Component:
Version:	6.0.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Dmitri Dolguikh
QA Contact:	Sachin Ghai
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:	Verified in Upstream
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-13 14:27 UTC by Bryan Kearney
Modified:	2019-09-26 17:42 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	With this release, the default root password hash has been made SHA256 instead of MD5. This improves the default security of all provisioned hosts.
Clone Of:
Environment:
Last Closed:	2016-07-27 11:11:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
screenshot showing an OS distribution with a default MD5 hash (40.51 KB, image/png) 2015-03-25 01:15 UTC, Corey Welton	no flags	Details
default root password encription set as sha256 (43.31 KB, image/png) 2015-09-01 12:03 UTC, Sachin Ghai	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	2127	0	None	None	None	2016-04-22 15:55:11 UTC
Red Hat Product Errata	RHSA-2015:1592	0	normal	SHIPPED_LIVE	Important: Red Hat Satellite 6.1.1 on RHEL 6	2015-08-12 09:04:35 UTC

Description Bryan Kearney 2014-01-13 14:27:45 UTC

Current kickstarts are delivered with MD5 hashes. Instad, it should be SHA256.

Comment 3 Bryan Kearney 2014-09-03 16:01:30 UTC

Upstream bug assigned to ddolguik

Comment 4 Bryan Kearney 2014-09-26 14:01:37 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/2127 has been closed
-------------
Anonymous
Applied in changeset commit:2d7f0315b4653f5eaa4bd7493c4d07375c637a97.

Comment 7 Corey Welton 2015-03-25 01:01:57 UTC

So I am sending this back to dev for commentary, because I have spent a lot of time looking at the upstream bug and commits, and one key thing may (or may not?) be missing...

Much of the backend code is there.  However, I have not found anywhere in the UI (based on various discussions in github, screenshots, etc.) where this is actually possible in the UI.  Furthermore, I do not see the following change reflected in the product:

http://projects.theforeman.org/projects/foreman/repository/revisions/2d7f0315b4653f5eaa4bd7493c4d07375c637a97/diff/app/views/operatingsystems/_form.html.erb

Now, I understand that this is a pretty old BZ and things might have changed significantly in this time, but seeing as I have yet to find where, in the UI, that user should be able to actually choose/select a password hash type, and I don't see any associated ability to make this change reflected in the templates, I want to send it back for some details. 

If there's a satisfactory answer, I'll close out the bz.

Comment 8 Corey Welton 2015-03-25 01:03:57 UTC

To clarify, it looks like, in the upstream bug, there is supposed to be the ability to choose hash type (beyond the a default SHA256) and I am not sure I see this.

Comment 9 Corey Welton 2015-03-25 01:07:40 UTC

Nevermind, I found it.  Was looking in the wrong place.


Verified in Satellite-6.1.0-RHEL-7-20150320.1

Comment 10 Corey Welton 2015-03-25 01:12:18 UTC

However... no. 


While the dropdown exists, the default appears to always, MD5, not SHA256.

Comment 11 Corey Welton 2015-03-25 01:15:36 UTC

Created attachment 1006102 [details]
screenshot showing an OS distribution with a default MD5 hash

Comment 12 Dmitri Dolguikh 2015-04-29 12:26:56 UTC

Fixed upstream in commit d4692e4e0a8f26acb001df47742cc88d083c2113. Also see http://projects.theforeman.org/issues/10289

Comment 14 errata-xmlrpc 2015-08-12 05:07:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592

Comment 15 sthirugn@redhat.com 2015-08-14 20:42:28 UTC

Accidentally closed with 6.1.1 errata

Comment 16 Sachin Ghai 2015-09-01 12:02:31 UTC

Verified with upstream build:


foreman-proxy-1.10.0-0.develop.201508250705gitb446e0c.el6.noarch
rubygem-smart_proxy_discovery-1.0.2-1.el6.noarch
foreman-1.10.0-0.develop.201508241946git8658fa3.el6.noarch
foreman-release-1.10.0-0.develop.201508241946git8658fa3.el6.noarch
ruby193-rubygem-hammer_cli_import-0.10.21-3.el6.noarch
ruby193-rubygem-hammer_cli_foreman_docker-0.0.3-3.el6.noarch
ruby193-rubygem-hammer_cli-0.3.0-1.201508241209git174f507.el6.noarch
ruby193-rubygem-hammer_cli_foreman_tasks-0.0.7-2.el6.noarch
ruby193-rubygem-hammer_cli_foreman_bootdisk-0.1.3-2.el6.noarch
ruby193-rubygem-hammer_cli_katello-0.0.17-1.el6.noarch


Now I can see sha256 set as default for root password encryption. Please see the attached screenshot

Comment 17 Sachin Ghai 2015-09-01 12:03:18 UTC

Created attachment 1068977 [details]
default root password encription set as sha256

Comment 18 Bryan Kearney 2016-07-27 11:11:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501

Note You need to log in before you can comment on or make changes to this bug.