Bug 161099 - admin passwd in clear text in adm.conf
admin passwd in clear text in adm.conf
Status: CLOSED CURRENTRELEASE
Product: Red Hat Directory Server
Classification: Red Hat
Component: Admin (Show other bugs)
7.1
All Linux
medium Severity medium
: DS8.0
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
:
Depends On:
Blocks: 152373 240316
  Show dependency treegraph
 
Reported: 2005-06-20 11:47 EDT by To Ngan
Modified: 2016-05-06 10:37 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-06 10:37:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
cvs diffs (19.59 KB, patch)
2006-04-27 20:35 EDT, Noriko Hosoi
no flags Details | Diff
cvs diffs (adminserver) (16.05 KB, patch)
2006-04-27 20:50 EDT, Noriko Hosoi
no flags Details | Diff
cvs diffs (ldapserver) (1.41 KB, patch)
2006-04-27 20:57 EDT, Noriko Hosoi
no flags Details | Diff
cvs diffs (adminutil) (19.06 KB, patch)
2006-05-04 18:37 EDT, Noriko Hosoi
no flags Details | Diff
cvs diff (mod_admserv) (1.32 KB, patch)
2006-05-04 18:43 EDT, Noriko Hosoi
no flags Details | Diff
cvs diffs (adminserver) (12.92 KB, patch)
2006-05-04 18:57 EDT, Noriko Hosoi
no flags Details | Diff
cvs diffs (adminutil) (20.61 KB, patch)
2006-05-09 21:50 EDT, Noriko Hosoi
no flags Details | Diff
cvs diff mod_admserv.c (5.18 KB, patch)
2006-05-09 22:01 EDT, Noriko Hosoi
no flags Details | Diff
cvs diffs (adminserver) (12.44 KB, patch)
2006-05-09 22:04 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (adminutil) (2.10 KB, text/plain)
2006-05-11 19:25 EDT, Noriko Hosoi
no flags Details
cvs commit mod_admserv.c (952 bytes, text/plain)
2006-05-11 19:47 EDT, Noriko Hosoi
no flags Details
cvs commit message (adminserver) (2.05 KB, text/plain)
2006-05-11 20:36 EDT, Noriko Hosoi
no flags Details

  None (edit)
Description To Ngan 2005-06-20 11:47:43 EDT
Description of problem:
This issue is raised by jonesy on #fedora-ds
admin's passwd in the clear in admin-serv/config/adm.conf

Why is it there in clear text?  There's already an encrypted passwd stored in
admin-serv/config/admpw


I tried changing the sieid: line in adm.conf to some bogus passwd, upon admin
server restart, attempt to login to console fails with 500.  In admin error log
the error is saying "Unauthorized host".  It returned to normal after I changed
the sieid line back to the correct passwd and restarted admin server.  Weired.


Version-Release number of selected component (if applicable):
20050524.1

How reproducible:
Consistently
Comment 1 Rich Megginson 2006-04-12 10:00:16 EDT
Can we open this bug?  There are a couple of people on the Fedora DS list who
would like to track it.  Alternately, I can dup this bug as an FDS bug.
Comment 2 Noriko Hosoi 2006-04-27 20:35:19 EDT
Created attachment 128333 [details]
cvs diffs

Files:
 modified:
  include/libadminutil/admutil.h
  lib/libadminutil/Makefile
  lib/libadminutil/admutil.c
  lib/libadminutil/admutil_pvt.h
  lib/libadmsslutil/Makefile
 new:
  lib/libadminutil/admutil_enc.c

Change description:
1) Introduced admutil_encryption and _decryption
2) In the function admldapBuildInfoCbk, which reads from adm.conf and set the
   info to the internal structure: admInfo.  In the function, if the admin 
   password siepid is encrypted, decript it and use it to authenticate with the

   config directory server.  If siepid value is not encrypted, encrypt it and
   update adm.conf.

Sample adm.conf:
===================================
ldapHost:   laputa.sfbay.redhat.com
ldapPort:   55555
sie:   cn=admin-serv-laputa, cn=Red Hat Administration Server, cn=Server Group,
cn=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot
siepid:   {crypt}xX1B0anmsDjPyL2MDnQvAw==
isie:	cn=Red Hat Administration Server, cn=Server Group,
cn=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot
port:	55550
ldapStart:   slapd-laputa/start-slapd
===================================
As described above, if a user replace "siepid: ..." with the right clear text
password, it still works.  And it's encrypted in the next start-admin.

admin-serv/config dir now has these db files.  (I believe only key3.db is being

used.)
$ ls admin-serv/config/*db
admin-serv/config/cert8.db  admin-serv/config/secmod.db
admin-serv/config/key3.db
Comment 3 Noriko Hosoi 2006-04-27 20:37:19 EDT
Note: the previous changes are made to AdminUtil.
Comment 4 Noriko Hosoi 2006-04-27 20:50:27 EDT
Created attachment 128334 [details]
cvs diffs (adminserver)

Files:
  nsconfig.mk
  admserv/pkgadmin.mk
  admserv/cgi-src40/download.c
  admserv/newinst/insadm/config.c
  admserv/newinst/src/Makefile
  admserv/newinst/src/ux-config.cc
  admserv/newinst/src/ux-config.h
  admserv/newinst/src/ux-remove.cc
  admserv/newinst/src/ux-update.cc

Change description:
1) To run pre install program ns-config, set rpath "lib" to the program, and
   have dependent shared libraries in <date>/<platform>/admin/lib:
     libadminutil.so*	libicui18n.so.34  libplc4.so*	   libsoftokn3.so*
     libadmsslutil.so*	libicuuc.so.34	  libplds4.so*	   libssl3.so*
     libfreebl3.chk	libldap50.so*	  libprldap50.so*  libssldap50.so*
     libfreebl3.so*	libnspr4.so*	  libsmime3.so*
     libicudata.so.34	libnss3.so*	  libsoftokn3.chk
2) If pre install ns-config finds encrypted password in adm.conf, decrypts it
   before sending it to the config directory server.
3) Post install ns-update decrypts the admin password and stores it in
adm.conf.
misc) download.c had buffer size problem which was causing the cgi crash.
Comment 5 Noriko Hosoi 2006-04-27 20:57:56 EDT
Created attachment 128335 [details]
cvs diffs (ldapserver)

Files:
  ldap/clients/dsgw/Makefile

Change description:
1) Add a dependency on NSS to DSGW build.
misc) Pick up new vewsion of WinSync.
Comment 6 Noriko Hosoi 2006-05-04 18:19:17 EDT
Comment #2 - #5 were cancelled based upon the team discussion:

New implementation:
When the admin server needs the configuration info, instead of asking for the
Directory Server, get it from the local cache file (local.conf).  Only when the
configuration needs to be updated, accessing DS happens.  At that time, the
admin password is provided by the user and it can be used to get authenticated
on the Directory Server.  This way, we eliminate the admin password (siepid)
from adm.conf.
Comment 7 Noriko Hosoi 2006-05-04 18:37:18 EDT
Created attachment 128637 [details]
cvs diffs (adminutil)

Files:
  include/libadminutil/admutil.h
  lib/libadminutil/Makefile
  lib/libadminutil/admutil.c
  lib/libadminutil/admutil_pvt.h
  lib/libadminutil/psetc.c
  lib/libadminutil/uginfo.c
  lib/libadmsslutil/Makefile
  lib/libadmsslutil/psetcssl.c

Change description:
1) sie password is no longer stored in adm.conf.  Instead, get it from client
via PIPE.
2) added subordinate functions: admldapGetXXX to retrieve ldap handle,
directory URL, and userDN.
3) updated Makefiles to clean up the old files from the previous make.
Comment 8 Noriko Hosoi 2006-05-04 18:43:38 EDT
Created attachment 128638 [details]
cvs diff (mod_admserv)

File:
  mod_admserv.c

Change description:
Check if ldap handle is set in the admin ldap info structure (AdmldapInfo).
If it is not set, the Admin Server does not have an admin user password / SIE 
password, and it has not connected to the Directory Server.  In this case,
gather neccessary info from the local cache.
Comment 9 Noriko Hosoi 2006-05-04 18:57:30 EDT
Created attachment 128640 [details]
cvs diffs (adminserver)

Files:
  admserv/cgi-src40/config.c
  admserv/cgi-src40/download.c
  admserv/cgi-src40/htmladmin.c
  admserv/cgi-src40/sec-activate.c
  admserv/newinst/insadm/config.c
  admserv/newinst/src/Makefile
  admserv/newinst/src/ux-config.cc
  admserv/newinst/src/ux-remove.cc
  admserv/newinst/src/ux-update.cc

Change description:
1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf.
   And by calling psetCreate, it generates the local cache file local.conf in
   the post install phase.
2) ns-update links with adminutil and its dependent components.
   ns-update has RPATH pointing the components' location.
3) got rid of the code retrieving the admin password from adm.conf from 
   ns-config (ux-config.cc) and ns-remove (ux-remove.cc).  Both has the info 
   input by the user.
4) some CGI debugs (download.c and htmladmin.c.  most of the htmladmin.c change

   is from Rich'es fix -- not checked in, yet.	W/o the fix, cannot access to
   the admin server from the browser...)
Comment 10 Noriko Hosoi 2006-05-09 21:50:44 EDT
Created attachment 128828 [details]
cvs diffs (adminutil)

Files:
  include/libadminutil/admutil.h
  lib/libadminutil/Makefile
  lib/libadminutil/admutil.c
  lib/libadminutil/admutil_pvt.h
  lib/libadminutil/psetc.c
  lib/libadminutil/uginfo.c
  lib/libadmsslutil/Makefile
  lib/libadmsslutil/psetcssl.c

Change description:
1) sie password is no longer stored in adm.conf.  Instead, get it from client
via PIPE.
2) added subordinate functions: admldapGetXXX to retrieve ldap handle,
directory URL, and userDN.
3) updated Makefiles to clean up the old files from the previous make.
4) increased the buffer size to read in the local cache files.
Comment 11 Noriko Hosoi 2006-05-09 22:01:28 EDT
Created attachment 128829 [details]
cvs diff mod_admserv.c

File:
  mod_admserv.c

Change description:
Change description:
1) In the initialization (mod_admserv_post_config), check if ldap handle is
   set or not in the admin ldap info structure (AdmldapInfo).  If it is not
set,
   the Admin Server does not have an admin user password / SIE password, and
   it has not connected to the Directory Server.  In this case, gather
   necessary info from the local cache.
   Also, set the task StartConfigDS in the HashTable for the admin server to
   start Config DS in case the server is down.
2) Where it expects sie password (from adm.conf), get it from PIPE that user
   provided (if possible).
Comment 12 Noriko Hosoi 2006-05-09 22:04:49 EDT
Created attachment 128830 [details]
cvs diffs (adminserver)

Files:
  admserv/cgi-src40/download.c
  admserv/cgi-src40/htmladmin.c
  admserv/cgi-src40/sec-activate.c
  admserv/newinst/insadm/config.c
  admserv/newinst/src/Makefile
  admserv/newinst/src/ux-config.cc
  admserv/newinst/src/ux-remove.cc
  admserv/newinst/src/ux-update.cc

Change description:
1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf.
   And by calling psetCreate, it generates the local cache file local.conf in
   the post install phase.
2) ns-update links with adminutil and its dependent components.
   ns-update has RPATH pointing the components' location.
3) got rid of the code retrieving the admin password from adm.conf from 
   ns-config (ux-config.cc) and ns-remove (ux-remove.cc).  Both has the info 
   input by the user.
4) some CGI debugs (download.c and htmladmin.c. Most of the htmladmin.c change
   is from Rich'es fix -- not checked in, yet.	W/o the fix, cannot access to
   the admin server from the browser...)
Comment 13 Noriko Hosoi 2006-05-11 19:25:44 EDT
Created attachment 128921 [details]
cvs commit message (adminutil)

Reviewed by Nathan and Rich.  (Thank you!)
Comment 14 Noriko Hosoi 2006-05-11 19:47:42 EDT
Created attachment 128922 [details]
cvs commit mod_admserv.c

Reviewed by Nathan and Rich. (Thank you!!)
Comment 15 Noriko Hosoi 2006-05-11 20:36:12 EDT
Created attachment 128926 [details]
cvs commit message (adminserver)

Reviewed by Nathan and Rich.  (Thank you!!!)
Comment 17 Noriko Hosoi 2006-05-15 13:45:58 EDT
How to verify the bug.
1) install the DS7.2
2) $ grep -i siepid <server_root>/admin-serv/config/adm.conf
   If the commandline returns nothing, the bug had been fixed.
Comment 18 Chandrasekar Kannan 2007-07-25 15:01:26 EDT
DS7.2 is not a valid milestone anymore. Anything thats set to DS7.2 should be
set to DS8.0. Will make further changes per bug council on 07/24/2007, after this.
Comment 20 Yi Zhang 2007-12-03 19:59:39 EST
Verified. PASS

Test machine: neo.dsdev.sjc.redhat.com (RHEL 32bit) & VM machine with Fedora 7
installed

Test steps: please follow Noriko's comments.
Test result: pass

Note You need to log in before you can comment on or make changes to this bug.