Bug 1254304 - Changing vault encryption attributes
Changing vault encryption attributes
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-17 12:32 EDT by Petr Vobornik
Modified: 2015-11-19 07:05 EST (History)
3 users (show)

See Also:
Fixed In Version: ipa-4.2.0-6.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 07:05:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Vobornik 2015-08-17 12:32:05 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5176

The vault plugin should be enhanced to provide the ability to change the vault encryption attributes including the vault type, vault password, or vault public/private keys as described in the following page:
http://www.freeipa.org/page/V4/Password_Vault_1.1

Proposed milestone: 4.2.1
Comment 3 Scott Poore 2015-09-15 18:24:40 EDT
Verified. Ran against assortment of vault-mod commands.

Version ::

ipa-server-4.2.0-9.el7.x86_64

Results ::

[root@master test]# #####################################################################
[root@master test]# # setup
[root@master test]# #####################################################################
[root@master test]# ipa vault-add vchange --type standard
---------------------
Added vault "vchange"
---------------------
  Vault name: vchange
  Type: standard
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-archive vchange --data=$(echo 123456|base64)
----------------------------------
Archived data into vault "vchange"
----------------------------------
[root@master test]# openssl genrsa -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
....................................................................+++
......+++
e is 65537 (0x10001)
[root@master test]# openssl rsa -in private.pem -out public.pem -pubout
writing RSA key
[root@master test]# openssl genrsa -out new-private.pem 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.............................+++
e is 65537 (0x10001)
[root@master test]# openssl rsa -in new-private.pem -out new-public.pem -pubout
writing RSA key
[root@master test]# PUBKEYBLOB=$(cat public.pem |base64|grep -v '^-----'|tr -d '\n\r')
[root@master test]# PRVKEYBLOB=$(cat private.pem |base64|grep -v '^-----'|tr -d '\n\r')
[root@master test]# NEWPUBKEYBLOB=$(cat new-public.pem |base64|grep -v '^-----'|tr -d '\n\r')
[root@master test]# NEWPRVKEYBLOB=$(cat new-private.pem |base64|grep -v '^-----'|tr -d '\n\r')
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # change type from standard to symmetric
[root@master test]# #####################################################################
[root@master test]# ipa vault-mod vchange --type symmetric --new-password 123
------------------------
Modified vault "vchange"
------------------------
  Vault name: vchange
  Type: symmetric
  Salt: oEOVkIftGESkvZ8Epdqd+Q==
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-retrieve vchange --password 123 --out=/tmp/vchange.out
-----------------------------------
Retrieved data from vault "vchange"
-----------------------------------
[root@master test]# grep 123456 /tmp/vchange.out
123456
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # change symmetric password interactively
[root@master test]# #####################################################################
[root@master test]# expect -f - <<EOF
> set timeout 30
> spawn ipa vault-mod vchange --change-password
> expect "ssword:*"
> send -- "123\r"
> expect "ssword:*"
> send -- "1234\r"
> expect "ssword:*"
> send -- "1234\r"
> expect eof
> EOF
spawn ipa vault-mod vchange --change-password
Password: 
New password: 
Verify password: 
------------------------
Modified vault "vchange"
------------------------
  Vault name: vchange
  Type: symmetric
  Salt: UxcKZE3G0wQdsWR2v1SX3w==
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-retrieve vchange --password=1234 --out=/tmp/vchange.out
-----------------------------------
Retrieved data from vault "vchange"
-----------------------------------
[root@master test]# grep 123456 /tmp/vchange.out
123456
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # change symmetric password
[root@master test]# #####################################################################
[root@master test]# ipa vault-mod vchange --old-password=1234 --new-password=abcde
------------------------
Modified vault "vchange"
------------------------
  Vault name: vchange
  Type: symmetric
  Salt: NnhtSAHcQrpLjvn3IGIyIg==
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-retrieve vchange --password=abcde --out=/tmp/vchange.out
-----------------------------------
Retrieved data from vault "vchange"
-----------------------------------
[root@master test]# grep 123456 /tmp/vchange.out
123456
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # fail to retrieve vault after password change
[root@master test]# #####################################################################
[root@master test]# ipa vault-retrieve vchange --password=12345 --out=/tmp/vchange.out
ipa: ERROR: Invalid credentials
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # change type from symmetric to asymmetric
[root@master test]# #####################################################################
[root@master test]# ipa vault-mod vchange --type=asymmetric --old-password=abcde --public-key-file=public.pem
------------------------
Modified vault "vchange"
------------------------
  Vault name: vchange
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEwMjE2Z3Y1UEhLSGRjWTB1MWZPRwowU3Y0aHhJODFxbXQxU2w4WjZpM3F1K0IvaFUyVFhoN0RtcjlmUTRMSjBNNzlaZmk3UGdVM3FDTFdwVExuUnlkCitzaW96S2UzNzgxR0FCdVBpRVVqdW9KUnBNaUYxNGZZcXVSSmMwbUZ2NVcxTUoxUkxVcFM4OGEydTNqYnhLdDkKV29kM01qcTh0cWErSnpmTmhjWDVYNDFza3N6QjE3NnlUUHJ3V1JEZE1GZ0l5UFNVcE5HQWFCU3BaZDBPOHVpaQpweCt0UzdQSEhQZlg0Z1pwVzNOSy9RT0p2MmdiaUs5L1BtZGdDamg2eE5qaW13SW1NTnRPWXc5YjVNKzBMVlpvCm1NRy9Mb012VVluVUowcGE3MEZHdjlkQzdyV2FvVjFiWDRmVC85WVQ3RmJCS0FRT2RnbEJBQ3dWdkdQU1lOaXcKRlFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-retrieve vchange --private-key-file=private.pem --out=/tmp/vchange.out
-----------------------------------
Retrieved data from vault "vchange"
-----------------------------------
[root@master test]# grep 123456 /tmp/vchange.out
123456
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # fail to retrieve asymmetric vault with previous symmetric password
[root@master test]# #####################################################################
[root@master test]# ipa vault-retrieve vchange --password=abcde --out=/tmp/vchange.out
ipa: ERROR: invalid 'private_key': Missing vault private key
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # change asymmetric keys with files
[root@master test]# #####################################################################
[root@master test]# ipa vault-mod vchange --private-key-file=private.pem --public-key-file=new-public.pem
------------------------
Modified vault "vchange"
------------------------
  Vault name: vchange
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4WmREMWNnRmpxaG02MDV4eU8xWApSUkE0NlpDZE1NYTdIWGg4UDVzT29vRldWaW03dXBwejZpbGR1ek93M3kyZlRBbWcxdWhtL0lZL05RY21Ta3NzCnM3Y1ZFVmZkWlZOcThZSUJkSUMxWVRleHo3RjNBOGU3aGNtZUhLMnUwOGVld0YvaTRHVytZU2Y1bjk4R2dQd3AKdmg3UnVEVzlOWHhQa1FnZmc3TGQ0YzNaRWZBaURsS3NxVmRZbXczVnJ3YjMvU0x6UUZUb21vY2d6c0JEM3BkegpmMjJiU0o2Mk1NZFZGbjkreWM3YkN2dWY4MzNmcDRlMWhndVJlTFpOZ3NTRTgxaUNRQ3c5dXNjRTVJbnpsUHlTCmsyS2lrWHRMOHplb04zYzMxazVsRGppaU14V25EMGN1SnVxRG92TlhsbUYvRk5jd2cySG9aTTZqYUNqTC9LdkIKS1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-retrieve vchange --private-key-file=new-private.pem --out=/tmp/vchange.out
-----------------------------------
Retrieved data from vault "vchange"
-----------------------------------
[root@master test]# grep 123456 /tmp/vchange.out
123456
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # fail to retrieve vault after changing keys with files
[root@master test]# #####################################################################
[root@master test]# ipa vault-retrieve vchange --private-key-file=private.pem --out=/tmp/vchange.out
ipa: ERROR: Invalid credentials
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # change asymmetric to symmetric
[root@master test]# #####################################################################
[root@master test]# ipa vault-mod vchange --private-key-file=new-private.pem --new-password=12345
------------------------
Modified vault "vchange"
------------------------
  Vault name: vchange
  Type: symmetric
  Salt: XXFi6afUaVs92P/a7Upd5A==
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-retrieve vchange --password=12345 --out=/tmp/vchange.out
-----------------------------------
Retrieved data from vault "vchange"
-----------------------------------
[root@master test]# grep 123456 /tmp/vchange.out
123456
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # fail to retrieve symmetric vault with previous assymmetric keys
[root@master test]# #####################################################################
[root@master test]# expect -f - <<EOF
> set timeout 30
> spawn ipa vault-retrieve vchange --private-key-file=new-private.pem --out=/tmp/vchange.out
> expect "ssword:*"
> send -- "\r"
> expect eof
> EOF
spawn ipa vault-retrieve vchange --private-key-file=new-private.pem --out=/tmp/vchange.out
Password: 
ipa: ERROR: Invalid credentials
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # change symmetric password with files
[root@master test]# #####################################################################
[root@master test]# echo 12345 > oldpw
[root@master test]# echo abcdefg > newpw
[root@master test]# ipa vault-mod vchange --old-password-file=oldpw --new-password-file=newpw
------------------------
Modified vault "vchange"
------------------------
  Vault name: vchange
  Type: symmetric
  Salt: 24OfUQvxVLUpF6yMZFjekg==
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-retrieve vchange --password-file=newpw --out=/tmp/vchange.out
-----------------------------------
Retrieved data from vault "vchange"
-----------------------------------
[root@master test]# grep 123456 /tmp/vchange.out
123456
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # fail to retrieve vault after password change with files
[root@master test]# #####################################################################
[root@master test]# ipa vault-retrieve vchange --password-file=oldpw --out=/tmp/vchange.out
ipa: ERROR: Invalid credentials
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # change symmetric to standard
[root@master test]# #####################################################################
[root@master test]# ipa vault-mod vchange --old-password=abcdefg --type standard
------------------------
Modified vault "vchange"
------------------------
  Vault name: vchange
  Type: standard
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-retrieve vchange --out=/tmp/vchange.out
-----------------------------------
Retrieved data from vault "vchange"
-----------------------------------
[root@master test]# grep 123456 /tmp/vchange.out
123456
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # change standard to asymmetric
[root@master test]# #####################################################################
[root@master test]# ipa vault-mod vchange --type asymmetric --public-key="$PUBKEYBLOB"
------------------------
Modified vault "vchange"
------------------------
  Vault name: vchange
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEwMjE2Z3Y1UEhLSGRjWTB1MWZPRwowU3Y0aHhJODFxbXQxU2w4WjZpM3F1K0IvaFUyVFhoN0RtcjlmUTRMSjBNNzlaZmk3UGdVM3FDTFdwVExuUnlkCitzaW96S2UzNzgxR0FCdVBpRVVqdW9KUnBNaUYxNGZZcXVSSmMwbUZ2NVcxTUoxUkxVcFM4OGEydTNqYnhLdDkKV29kM01qcTh0cWErSnpmTmhjWDVYNDFza3N6QjE3NnlUUHJ3V1JEZE1GZ0l5UFNVcE5HQWFCU3BaZDBPOHVpaQpweCt0UzdQSEhQZlg0Z1pwVzNOSy9RT0p2MmdiaUs5L1BtZGdDamg2eE5qaW13SW1NTnRPWXc5YjVNKzBMVlpvCm1NRy9Mb012VVluVUowcGE3MEZHdjlkQzdyV2FvVjFiWDRmVC85WVQ3RmJCS0FRT2RnbEJBQ3dWdkdQU1lOaXcKRlFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-retrieve vchange --private-key="$PRVKEYBLOB" --out=/tmp/vchange.out
-----------------------------------
Retrieved data from vault "vchange"
-----------------------------------
[root@master test]# grep 123456 /tmp/vchange.out
123456
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # change asymmetric keys with blobs
[root@master test]# #####################################################################
[root@master test]# ipa vault-mod vchange --private-key="$PRVKEYBLOB" --public-key="$NEWPUBKEYBLOB"
------------------------
Modified vault "vchange"
------------------------
  Vault name: vchange
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4WmREMWNnRmpxaG02MDV4eU8xWApSUkE0NlpDZE1NYTdIWGg4UDVzT29vRldWaW03dXBwejZpbGR1ek93M3kyZlRBbWcxdWhtL0lZL05RY21Ta3NzCnM3Y1ZFVmZkWlZOcThZSUJkSUMxWVRleHo3RjNBOGU3aGNtZUhLMnUwOGVld0YvaTRHVytZU2Y1bjk4R2dQd3AKdmg3UnVEVzlOWHhQa1FnZmc3TGQ0YzNaRWZBaURsS3NxVmRZbXczVnJ3YjMvU0x6UUZUb21vY2d6c0JEM3BkegpmMjJiU0o2Mk1NZFZGbjkreWM3YkN2dWY4MzNmcDRlMWhndVJlTFpOZ3NTRTgxaUNRQ3c5dXNjRTVJbnpsUHlTCmsyS2lrWHRMOHplb04zYzMxazVsRGppaU14V25EMGN1SnVxRG92TlhsbUYvRk5jd2cySG9aTTZqYUNqTC9LdkIKS1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin
  Vault user: admin
[root@master test]# ipa vault-retrieve vchange --private-key="$NEWPRVKEYBLOB" --out=/tmp/vchange.out
-----------------------------------
Retrieved data from vault "vchange"
-----------------------------------
[root@master test]# grep 123456 /tmp/vchange.out
123456
[root@master test]# 
[root@master test]# #####################################################################
[root@master test]# # fail to retrieve vault after changing keys with blobs
[root@master test]# #####################################################################
[root@master test]# ipa vault-retrieve vchange --private-key="$PRVKEYBLOB"
ipa: ERROR: Invalid credentials
[root@master test]# 
[root@master test]#
Comment 4 errata-xmlrpc 2015-11-19 07:05:35 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.