RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1656418 - ipa-server-install fails in FIPS mode
Summary: ipa-server-install fails in FIPS mode
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: thierry bordaz
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On: 1663443
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-05 13:36 UTC by Thorsten Scherf
Modified: 2024-12-20 18:47 UTC (History)
23 users (show)

Fixed In Version: 389-ds-base-1.4.0.20-3.module+el8+2605+dc3ef34f
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-13 22:56:31 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 3158 0 None closed In FIPS mode, the server can select an unsupported password storage scheme 2021-02-03 19:32:57 UTC

Internal Links: 1841925

Description Thorsten Scherf 2018-12-05 13:36:29 UTC 
Description of problem:
ipa-server-install fails in [32/44]: creating default Sudo bind user.

This is the ldif for the sudo user:

$ cat ./install/share/sudobind.ldif
#SUDO bind user
dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: sudo
userPassword: $RANDOM_PASSWORD
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

$RANDOM_PASSWORD is generated by ipa_generate_password(). It seems like the generated password is not allowed in FIPS mode. 

Version-Release number of selected component (if applicable):
ipa-server-4.7.1-5.module+el8+2149+d62dbe01.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Christian Heimes 2018-12-05 13:47:34 UTC 
ipa_generate_password generates a really long password with at least one element from the upper, lower, special, and digit character class. This should be good enough for FIPS, too.

>>> from ipapython.ipautil import ipa_generate_password
>>> help(ipa_generate_password)
Help on function ipa_generate_password in module ipapython.ipautil:

ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1, special=1, min_len=0)
    Generate token containing at least `entropy_bits` bits and with the given
    character restraints.
    
    :param entropy_bits:
        The minimal number of entropy bits attacker has to guess:
           128 bits entropy: secure
           256 bits of entropy: secure enough if you care about quantum
                                computers
    
    Integer values specify minimal number of characters from given
    character class and length.
    Value None prevents given character from appearing in the token.
    
    Example:
    TokenGenerator(uppercase=3, lowercase=3, digits=0, special=None)
    
    At least 3 upper and 3 lower case ASCII chars, may contain digits,
    no special chars.

>>> ipa_generate_password()
'0Fc*Cqs0k0deO)9WCT!{bPHg;f$Vrf|l/zx-N]BgE'
>>> ipa_generate_password()
'4Nq<*Ojx@8J/;oySW.}aphhM:x{VE.>liR<yw+-h.'
>>> ipa_generate_password()
'7Jo,gb26Lbm8J){Q:IGz);)[Nqj&<qvI>R&3O^xsO'
>>> ipa_generate_password()
'1Hc+T7p^U;<:o{zU&%5M}!6k7H|p&T@%Y)<*RcNKa'
>>> ipa_generate_password()
'7Fb>xFF!^!BK+NAT$yxOYi2jV}kpZX:j|.2z<H}]+'
Comment 3 Alexander Bokovoy 2018-12-05 13:55:42 UTC 
Mark,

since https://pagure.io/389-ds-base/issue/49235, 389-ds defaults to PBKDF2_SHA256 for a password scheme. Was this tested to be FIPS compatible?
Comment 5 Thorsten Scherf 2018-12-05 13:59:54 UTC 
There is also this:

Clarify support of pbkdf2 for fips
https://bugzilla.redhat.com/show_bug.cgi?id=1513765
Comment 7 Christian Heimes 2018-12-05 14:14:54 UTC 
NIST SP 800-132 specifies PBKDF2 as approved when combined with HMAC as PRF with any FIPS approved hash function. NSS' FIPS Validation page https://wiki.mozilla.org/FIPS_Validation does list PBKDF2 explicitly.
Comment 9 Tomas Mraz 2018-12-05 14:20:37 UTC 
What component is this failure coming from? Is that NSS? I would say then it is a bug in the component as there is nothing wrong with using PBKDF2-SHA256. Or you're calling the PBKDF2 implementation in NSS somehow incorrectly.
Comment 10 mreynolds 2018-12-05 14:21:49 UTC 
(In reply to Alexander Bokovoy from comment #3)
> Mark,
> 
> since https://pagure.io/389-ds-base/issue/49235, 389-ds defaults to
> PBKDF2_SHA256 for a password scheme. Was this tested to be FIPS compatible?

Hi Alexander,

At the time I recall it NOT working in FIPS mode, but "looks" like it is now supposed to work according to the comments in this bug.

Mark
Comment 12 Alexander Bokovoy 2018-12-05 14:40:12 UTC 
(In reply to Tomas Mraz from comment #9)
> What component is this failure coming from? Is that NSS? I would say then it
> is a bug in the component as there is nothing wrong with using
> PBKDF2-SHA256. Or you're calling the PBKDF2 implementation in NSS somehow
> incorrectly.

For FreeIPA it is coming from 389-ds over LDAP protocol, so it is what happens in 389-ds. There, it is using password storage plugins to create hashes and store them. As reported by Thorsten, the failure is with PBKDF2_SHA256 storage scheme which fails. For PBKDF2_SHA256 hashing 389-ds uses NSS functions so it is most likely where it fails.
Comment 13 thierry bordaz 2018-12-05 17:22:49 UTC 
If password policy defines 'passwordstoragescheme: default', then 389-ds should detects it is running in FIPS mode (calling PK11_IsFIPS) and adopt a storage scheme SSHA512 (not PBKDF2_SHA256).

Is there a specific password policy with a specific passwordstoragescheme ?
Comment 16 Tomas Mraz 2018-12-06 07:54:39 UTC 
There is no reason why the PBKDF2_SHA256 password hash should not work in the FIPS mode for password hashing. I probably understand why the function fails on NSS - it regards it as key derivation function and you need to export the key which NSS disallows because it used to be FIPS 140-2 level 2 validated. However this is no longer the case and the check is superfluous for level 1 validation and it unnecessarily prevents its use for password hashing.
Comment 27 thierry bordaz 2018-12-17 14:51:04 UTC 
upstream ticket https://pagure.io/389-ds-base/issue/50099
Comment 30 thierry bordaz 2018-12-19 10:05:02 UTC 
fix of upstream ticket https://pagure.io/389-ds-base/issue/50099 is pushed => POST
Comment 31 thierry bordaz 2018-12-19 10:05:55 UTC 
set back the needinfo flag
Comment 42 Viktor Ashirov 2019-02-01 12:58:09 UTC 
Build tested:
389-ds-base-1.4.0.20-5.module+el8+2685+6de0feb1.x86_64

Without FIPS mode passwordStorageScheme defaults to PBKDF2_SHA256:
[root@server ~]# cat /proc/sys/crypto/fips_enabled 
0
[root@server ~]# ldapsearch -LLL -D cn=directory\ manager -w password -b cn=config passwordStorageScheme | grep -i passwordStorageScheme
passwordStorageScheme: PBKDF2_SHA256

On FIPS machine passwordStorageScheme defaults to SSHA512
[root@server ~]# cat /proc/sys/crypto/fips_enabled 
1
[root@server ~]# ldapsearch -LLL -D cn=directory\ manager -w password -b cn=config passwordStorageScheme | grep -i passwordStorageScheme
passwordStorageScheme: SSHA512

Marking as VERIFIED.
Note You need to log in before you can comment on or make changes to this bug.