Bug 1452668 - [downstream clone - 4.1.4] [RFE] possibility to enter encrypted passwords in --password option
Summary: [downstream clone - 4.1.4] [RFE] possibility to enter encrypted passwords in ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-jdbc
Version: 3.6.6
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ovirt-4.1.4
: ---
Assignee: Miroslava Voglova
QA Contact: Lucie Leistnerova
URL:
Whiteboard:
Depends On: 1389673
Blocks: 1486740
TreeView+ depends on / blocked
 
Reported: 2017-05-19 12:59 UTC by rhev-integ
Modified: 2020-02-14 18:33 UTC (History)
8 users (show)

Fixed In Version: 1.1.6
Doc Type: Enhancement
Doc Text:
Previously, administrators had to enter an unencrypted password when invoking 'ovirt-aaa-jdbc-tool user password-reset'. The password was then encrypted inside ovirt-aaa-jdbc-tool and stored in the database. This update enables administrators to use the new --encrypted option to enter an already encrypted password when invoking 'ovirt-aaa-jdbc-tool user password-reset'. However there are some caveats when providing encrypted passwords: 1. Entering an encrypted password means that password validity tests cannot be performed, so they are skipped and the password is accepted even if it does not comply with the password validation policy. 2. A password has to be encrypted using the same configured algorithm. To encrypt passwords, administrators can use the '/usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh' tool, which provides the 'pbe-encode' command to encrypt passwords using the default PBKDF2WithHmacSHA1 algorithm.
Clone Of: 1389673
Environment:
Last Closed: 2017-07-27 18:04:30 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1818 0 normal SHIPPED_LIVE ovirt-engine-extension-aaa-jdbc bug fix and enhancement update for RHV 4.1.4 2017-07-27 22:00:02 UTC
oVirt gerrit 76498 0 master MERGED adding --encrypted parameter to password-reset 2021-01-11 09:32:38 UTC
oVirt gerrit 78366 0 master MERGED Fix encrypted option in password-reset 2021-01-11 09:32:38 UTC

Comment 4 Lucie Leistnerova 2017-06-06 13:17:54 UTC 
Option --encrypted added to ovirt-aaa-jdbc-tool. It sets the password directly and user can log in.

Problem is when I store accidentally bad encrypted password then I can't change it back.

# ovirt-aaa-jdbc-tool user password-reset test --encrypted --password=pass:eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6IlVrMlZURUtMOGlXNVZkWVNhazJsL1d0WVBoeCtZZ0oyR2x4dm5FaEpNMk09Iiwic2VjcmV0IjoiYVlteWh0S1JvS1AwV1BIdjl2aEN3YVpidUJRbEkzb1hGTFg1TWd3am40dz0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiIyMDA
updating user test...
user updated successfully

# ovirt-aaa-jdbc-tool user password-reset test --password=pass:333333
Unexpected end-of-input in VALUE_STRING
 at [Source: [B@491666ad; line: 1, column: 335]

And in the UI there is wrong error when I try to log in with this user:

Unexpected end-of-input within/between OBJECT entries at [Source: [B@67219cf1; line: 1, column: 301] 

tested in ovirt-engine-extension-aaa-jdbc-1.1.5-1.el7ev.noarch, ovirt-engine-4.1.3.1-0.1.el7.noarch
Comment 5 Martin Perina 2017-06-26 14:32:46 UTC 
Fix will be included in ovirt-engine-extension-aaa-jdbc 1.1.6
Comment 6 Miroslava Voglova 2017-07-03 08:57:49 UTC 
" ...otherwise the user will not be able to login because tests cannot be performed to correct the encryption algorithm that was used... "
This part of doc text is not correct anymore. There is way to check if proper encryption algorithm was used. So administrator will be informed that he uses wrong algorithm and users password will not be altered. 

I suggest to just omit this part from doc text. So it will look like this:

"A password has to be encrypted using the same configured algorithm. To encrypt passwords, administrators can use the '/usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh' tool, which provides the 'pbe-encode' command to encrypt passwords using the default PBKDF2WithHmacSHA1 algorithm."
Comment 7 Byron Gravenorst 2017-07-04 01:46:18 UTC 
Thanks Miroslava. I implemented the suggestion.
Comment 9 Martin Perina 2017-07-12 20:21:20 UTC 
Moving the bug to 4.1.4, because by mistake as a part of 4.1.3 aaa-jdbc 1.1.5 was delivered and this release contains fix for the bug which failed QA. Complete fix is included in aaa-jdbc 1.1.6, so it's worth to release asap
Comment 11 Lucie Leistnerova 2017-07-17 14:56:31 UTC 
Now is not possible to set bad encrypted password, error is written (even with --force).

verified in ovirt-engine-extension-aaa-jdbc-1.1.6-1.el7ev.noarch, ovirt-engine-4.1.4.1-0.1.el7.noarch
Comment 13 errata-xmlrpc 2017-07-27 18:04:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1818
Comment 14 Avital Pinnick 2017-10-31 14:45:55 UTC 
(In reply to Miroslava Voglova from comment #6)
> " ...otherwise the user will not be able to login because tests cannot be
> performed to correct the encryption algorithm that was used... "
> This part of doc text is not correct anymore. There is way to check if
> proper encryption algorithm was used. So administrator will be informed that
> he uses wrong algorithm and users password will not be altered. 
> 
> I suggest to just omit this part from doc text. So it will look like this:
> 
> "A password has to be encrypted using the same configured algorithm. To
> encrypt passwords, administrators can use the
> '/usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh' tool, which
> provides the 'pbe-encode' command to encrypt passwords using the default
> PBKDF2WithHmacSHA1 algorithm."

Miroslava, I am trying to document this in the Admin guide (https://bugzilla.redhat.com/show_bug.cgi?id=1486740). 

Should we provide instructions for using the ovirt-engine-crypto-tool.sh tool? I ran the script but couldn't figure out what kind of input it required. Does the admin need to know how to use this tool?
Comment 15 Miroslava Voglova 2017-11-01 09:27:52 UTC 
(In reply to Avital Pinnick from comment #14)
> Miroslava, I am trying to document this in the Admin guide
> (https://bugzilla.redhat.com/show_bug.cgi?id=1486740). 
> 
> Should we provide instructions for using the ovirt-engine-crypto-tool.sh
> tool? I ran the script but couldn't figure out what kind of input it
> required. Does the admin need to know how to use this tool?

Admin should be able to use this crypto-tool for acquiring encrypted password, if he wants to use the --encrypted option. So we should provide instructions for using it, but I would limit these instructions only for pbe-encode command, AFAIK other commands don't work properly.

Help message:

/usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode [options]

Options:
  --algorithm=[ALGORITHM]
    PBE algorithm, default: PBKDF2WithHmacSHA1

  --help
    Show help.

  --iterations=[NUMBER]
    Number of iterations, default: 4000

  --key-size=[NUMBER]
    Key size, default: 256

  --password=[PASSWORD]
    Password can be specified in one of the following format:
      interactive: - query password interactively [default].
      pass:STRING - provide a password as STRING.
      env:KEY - provide a password using environment KEY.
      file:FILE - provide a password as 1st line of FILE.


All options have default values, so they don't have to be specified.
Input for this tool is password that you want to encode. Password can be passed interactively, as string in password option, in some environment variable or inside some file.
Comment 16 Avital Pinnick 2017-11-01 09:30:52 UTC 
(In reply to Miroslava Voglova from comment #15)
> (In reply to Avital Pinnick from comment #14)
> > Miroslava, I am trying to document this in the Admin guide
> > (https://bugzilla.redhat.com/show_bug.cgi?id=1486740). 
> > 
> > Should we provide instructions for using the ovirt-engine-crypto-tool.sh
> > tool? I ran the script but couldn't figure out what kind of input it
> > required. Does the admin need to know how to use this tool?
> 
> Admin should be able to use this crypto-tool for acquiring encrypted
> password, if he wants to use the --encrypted option. So we should provide
> instructions for using it, but I would limit these instructions only for
> pbe-encode command, AFAIK other commands don't work properly.
> 
> Help message:
> 
> /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode [options]
> 
> Options:
>   --algorithm=[ALGORITHM]
>     PBE algorithm, default: PBKDF2WithHmacSHA1
> 
>   --help
>     Show help.
> 
>   --iterations=[NUMBER]
>     Number of iterations, default: 4000
> 
>   --key-size=[NUMBER]
>     Key size, default: 256
> 
>   --password=[PASSWORD]
>     Password can be specified in one of the following format:
>       interactive: - query password interactively [default].
>       pass:STRING - provide a password as STRING.
>       env:KEY - provide a password using environment KEY.
>       file:FILE - provide a password as 1st line of FILE.
> 
> 
> All options have default values, so they don't have to be specified.
> Input for this tool is password that you want to encode. Password can be
> passed interactively, as string in password option, in some environment
> variable or inside some file.

OK. I'll just document the --password= option. Thanks!
Note You need to log in before you can comment on or make changes to this bug.