1563529 – Root password hash in Operating System written in capital letters

Bug 1563529 - Root password hash in Operating System written in capital letters

Summary: Root password hash in Operating System written in capital letters

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Provisioning
Sub Component:
Version:	6.3.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	6.5.0
Assignee:	Lukas Zapletal
QA Contact:	Roman Plevka
Docs Contact:
URL:	https://projects.theforeman.org/issue...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-04 06:17 UTC by Simon Reber
Modified:	2021-09-09 13:35 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-05-14 12:37:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	24084	Normal	Closed	Password hash propagation (operatingsystem/kickstart template) to authconfig doesn't work	2020-12-23 14:04:33 UTC
Red Hat Knowledge Base (Solution)	3497261	None	None	None	2018-07-26 09:46:24 UTC
Red Hat Product Errata	RHSA-2019:1222	None	None	None	2019-05-14 12:37:12 UTC

Description Simon Reber 2018-04-04 06:17:01 UTC

Description of problem:

The root password hash under Operating System (SHA256, SHA512, etc) are written in capital letters. This is saved the same way into `@host.operatingsystem.password_hash`. When using `Satellite Kickstart Default` we have `authconfig --useshadow --passalgo=<%= @host.operatingsystem.password_hash || 'sha256' %> --kickstart` which will fail and thus fall back to the default, as `authconfig` can't handle hash definition in capital letters.

> authconfig --passalgo=SHA512 --useshadow --kickstart
> authconfig: Unknown password hashing algorithm specified, using sha256.

Version-Release number of selected component (if applicable):

 - satellite-6.3.0.1-1.el7sat.noarch

How reproducible:

 - Always

Steps to Reproduce:
1. Select SHA512 in Operating System
2. Kickstart System with `Satellite Kickstart Default`
3. Check default password hash defined

Actual results:

> authconfig --passalgo=SHA512 --useshadow --kickstart
> authconfig: Unknown password hashing algorithm specified, using sha256.

Expected results:

> authconfig --passalgo=sha512 --useshadow --kickstart

Additional info:

Comment 3 kallies 2018-06-26 12:21:10 UTC

We ran into the same issue. The workaround for us so far is

`authconfig --useshadow --passalgo=<%= @host.operatingsystem.password_hash.downcase || 'sha256' %> --kickstart`

Comment 4 Satellite Program 2018-06-27 14:13:21 UTC

Upstream bug assigned to lzap

Comment 5 Satellite Program 2018-06-27 14:13:24 UTC

Upstream bug assigned to lzap

Comment 6 Satellite Program 2018-06-27 16:13:20 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/24084 has been resolved.

Comment 7 Lukas Zapletal 2018-07-26 09:29:39 UTC

The fix was pushed into Foreman 1.19 and will be part of future Satellite version.

https://github.com/theforeman/community-templates/pull/487/files

The workaround is to fix kickstart template in Satellite:

-authselect --useshadow --passalgo=<%= @host.operatingsystem.password_hash || 'sha256' %> --kickstart
+authselect --useshadow --passalgo=<%= @host.operatingsystem.password_hash.downcase || 'sha256' %> --kickstart

Comment 10 Roman Plevka 2019-03-06 13:25:26 UTC

VERIFIED
on sat6.5.0-18

the template already comes with .downcase:

# hammer template dump --id 46 | grep authconfig
authconfig --useshadow --passalgo=<%= @host.operatingsystem.password_hash.downcase || 'sha256' %> --kickstart

and renders properly

Comment 13 errata-xmlrpc 2019-05-14 12:37:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222

Note You need to log in before you can comment on or make changes to this bug.