Bug 182507 - clear-password mod from replica is discarded before changelogged
clear-password mod from replica is discarded before changelogged
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Replication - General (Show other bugs)
1.0
All Linux
high Severity high
: ---
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
:
Depends On:
Blocks: 639035 389_1.2.8 804828
  Show dependency treegraph
 
Reported: 2006-02-22 17:00 EST by Ulf Weltman
Modified: 2015-12-07 12:13 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 804828 (view as bug list)
Environment:
Last Closed: 2015-12-07 12:13:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
git patch file (master) (4.12 KB, patch)
2010-11-08 16:07 EST, Noriko Hosoi
no flags Details | Diff
git patch file (master) (59.33 KB, patch)
2010-12-07 13:52 EST, Noriko Hosoi
no flags Details | Diff
git patch file (master) (77.19 KB, patch)
2010-12-13 18:10 EST, Noriko Hosoi
nhosoi: review?
rmeggins: review+
Details | Diff
Additional diff (1.09 KB, patch)
2010-12-13 19:24 EST, Noriko Hosoi
rmeggins: review+
nkinder: review+
Details | Diff
yet another additional diff (11.87 KB, patch)
2010-12-15 14:18 EST, Noriko Hosoi
nkinder: review+
Details | Diff

  None (edit)
Description Ulf Weltman 2006-02-22 17:00:45 EST
Description of problem:
When a userPassword is changed in a server with changelog, the hashed password
is logged and also a cleartext pseudo-attribute version.  It looks like this:
change::
replace: userPassword
userPassword: {SSHA}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q==
-
replace: unhashed#user#password
unhashed#user#password: secret12

This unhashed version is used in winsync where the cleartext version of the
password must be written to the AD.

Now if the DS is involved in replication with another DS, the change will be
replayed exactly as it is logged to the other DS replicas, including the
cleartext pseudo-attribute password.

When it arrives on the "consumer" M2, op_shared_modify and op_shared_add will
throw it out via the op_shared_is_allowed_attr function.  That is the right
thing to do because the pseudo-attribute should only ever exist in the
changelog, not in the DIT.  However, it's thrown out before it has a chance to
be changelogged, so if the replica is involved in winsync, it will not be able
to send the password update to AD.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Set up DS in MMR mode, M1 and M2.  Configure winsync between an AD and M1.
2. Change an NT user's password on M2.
3. The NT user's password will be updated on M1 and M2, but not AD.  Dump
changelogs on M1 and M2, note the discrepancy in what was changelogged for the
operation.
  
Actual results:


Expected results:


Additional info:
Comment 2 Rich Megginson 2009-01-14 12:56:01 EST
latering to 8.2
Comment 4 Noriko Hosoi 2010-11-08 16:07:27 EST
Created attachment 458887 [details]
git patch file (master)

Phase 1.
Description: If a password is changed by the password change
extended operation, the hashed password is logged and also a
cleartext pseudo-attribute version is in the replication changelog.
In the current code, the pseudo-attribute is discarded in the
server frontend to avoid storing it in the backend DB.  Therefore,
the other masters in an MMR topology have no chance to log it in
their changelogs.
This patch moved the pseudo-attribute elimination to the backend
(id2entry_add_ext in id2entry.c) to drop it before storing in
the database.  Since the internal mod keeps it, the pseudo-
attribute is replicated and stored in the other masters' changelog,
as well.
Comment 5 Noriko Hosoi 2010-11-08 16:10:29 EST
Phase 2.
Rich Megginson wrote:
1) password is stored unencrypted, so someone with access to the machine
   and disk can get it
2) password is sent on the wire unencrypted, so a network sniffer could
   get it

for 1, the only recourse is to store it encrypted, which would require
attrcrypt. The user can configure attribute encryption for this
attribute. Same goes for 2 - use TLS/SSL/SASL for replication. That is,
we let the user be insecure by default, but give them the tools and
information to secure things themselves. This really isn't that
different than other parts of the system - pam_ldap sends clear text
passwords to the directory server, but you can configure it to use TLS.
Comment 6 Noriko Hosoi 2010-12-07 13:52:29 EST
Created attachment 467113 [details]
git patch file (master)

Description:
Replication drops unhashed passwords which is necessary for
the AD password sync.  This patch allows the passwords replicated
and introduces a method to encrypt logs in the changelog.

See also http://directory.fedoraproject.org/wiki/Changelog_Encryption
Comment 8 Rich Megginson 2010-12-07 14:21:46 EST
Comment on attachment 467113 [details]
git patch file (master)

1) the use of the magic number 17 in the _cl5Entry2DBData - should use a macro or a #define for that number

2) _cl5WriteMod - if encryption is configured, but clcrypt_encrypt_value fails, seems that should be a hard failure - the user wants the data encrypted, but encryption is not available - I don't think the user wants unencrypted data showing up in the changelog
3) instead of copying/pasting all of that code from the core server attrcrypt code, could we expose those apis via slapi?  copy/paste lots of code like this makes me nervous, doubly so if it is encryption code
Comment 9 Noriko Hosoi 2010-12-07 16:14:51 EST
All right.  I'm going to open the phase 3 task for merging the attrcrypt and changelog encryption into libslapd.
Comment 10 Noriko Hosoi 2010-12-13 18:10:38 EST
Created attachment 468499 [details]
git patch file (master)

Description:
Replication drops unhashed passwords which is necessary for
the AD password sync.  This patch allows the passwords replicated
and introduces a method to encrypt logs in the changelog.

See also http://directory.fedoraproject.org/wiki/Changelog_Encryption
Comment 12 Noriko Hosoi 2010-12-13 19:24:40 EST
Created attachment 468515 [details]
Additional diff

Thanks to Nathan for his comments.  I'm adding this diff to the patch.
Comment 13 Noriko Hosoi 2010-12-15 14:18:44 EST
Created attachment 468942 [details]
yet another additional diff

The behaviour of the initialization code used by the changelog encryption was different from the attribute encryption's initialization.
The attribute encryption's case: if the symmetric key stored in the DS config failed to unwrap in attrcrypt_cipher_init, it logs an error message and returns an error.
The changelog encryption's case: if the symmetric key stored in the DS config failed to unwrap in _back_crypt_cipher_init, it generated a new key and replaced the old one with the new one.  The old key was lost in the automatic replace.

To leave the method to recover the encrypted contents, changed the behaviour of _back_crypt_cipher_init to adjust to attrcrypt_cipher_init.
Comment 14 Noriko Hosoi 2010-12-15 16:06:03 EST
Thanks to Rich and Nathan for their reviews.

Pushed to master.

$ git merge 182507
Updating ba8c3c9..7aef407
Fast-forward
 Makefile.am                                        |    1 +
 Makefile.in                                        |   15 +
 ldap/servers/plugins/replication/cl5.h             |    1 +
 ldap/servers/plugins/replication/cl5_api.c         |  107 +++-
 ldap/servers/plugins/replication/cl5_api.h         |    2 +
 ldap/servers/plugins/replication/cl5_config.c      |   37 +-
 ldap/servers/plugins/replication/cl_crypt.c        |  203 +++++
 ldap/servers/plugins/replication/cl_crypt.h        |   53 ++
 ldap/servers/plugins/replication/repl_shared.h     |   17 +-
 .../plugins/replication/windows_protocol_util.c    |    2 +-
 ldap/servers/slapd/back-ldbm/dblayer.c             |   42 +-
 ldap/servers/slapd/back-ldbm/id2entry.c            |   20 +-
 ldap/servers/slapd/back-ldbm/init.c                |    2 +
 ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c      |  818 ++++++++++++++++----
 ldap/servers/slapd/back-ldbm/proto-back-ldbm.h     |    6 +
 ldap/servers/slapd/backend.c                       |   11 +
 ldap/servers/slapd/opshared.c                      |    7 +-
 ldap/servers/slapd/pblock.c                        |    6 +
 ldap/servers/slapd/slap.h                          |    3 +
 ldap/servers/slapd/slapi-plugin.h                  |   42 +-
 ldap/servers/slapd/slapi-private.h                 |    1 +
 21 files changed, 1203 insertions(+), 193 deletions(-)
 create mode 100644 ldap/servers/plugins/replication/cl_crypt.c
 create mode 100644 ldap/servers/plugins/replication/cl_crypt.h

$ git push
Counting objects: 55, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (29/29), done.
Writing objects: 100% (29/29), 12.29 KiB, done.
Total 29 (delta 26), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   ba8c3c9..7aef407  master -> master
Comment 17 Amita Sharma 2011-08-01 06:20:39 EDT
Executed test suit mmrepl/encchangelog.

Results are ==>

checkchangelog: successfully verified /var/lib/dirsrv/slapd-s1/db/changelog
TestCase [tp2] result-> [PASS]

checkchangelog: successfully verified /var/lib/dirsrv/slapd-s2/db/changelog
TestCase [tp2] result-> [PASS]
adding new entry uid=s2test0,ou=People,o=airius.com

checkchangelog: successfully verified /var/lib/dirsrv/slapd-s1/db/changelog
TestCase [tp3] result-> [PASS]
-----------------StopSlapd: Called -----------------

checkchangelog: successfully verified /var/lib/dirsrv/slapd-s2/db/changelog
TestCase [tp3] result-> [PASS]
SASL/DIGEST-MD5 authentication started
SASL username: s1test0


checkchangelog: successfully verified /var/lib/dirsrv/slapd-s1/db/changelog
TestCase [tp4] result-> [PASS]
-----------------StopSlapd: Called -----------------
Calling StopSlapd /usr/lib64/dirsrv/slapd-amsharma/../slapd-s2


checkchangelog: successfully verified /var/lib/dirsrv/slapd-s2/db/changelog
TestCase [tp4] result-> [PASS]
checkchangelog: successfully verified /var/lib/dirsrv/slapd-s2/db/changelog
TestCase [tp5] result-> [PASS]
-----------------StopSlapd: Called -----------------
Calling StopSlapd /usr/lib64/dirsrv/slapd-amsharma/../slapd-s1

checkchangelog: successfully verified /var/lib/dirsrv/slapd-s1/db/changelog
TestCase [tp5] result-> [PASS]

checkchangelog: successfully verified /var/lib/dirsrv/slapd-s2/db/changelog
TestCase [tp6] result-> [PASS]


checkchangelog: successfully verified /var/lib/dirsrv/slapd-s1/db/changelog
TestCase [tp6] result-> [PASS]


Hence Marking VERIFIED.
Thanks Noriko.

Note You need to log in before you can comment on or make changes to this bug.