IPA contains a flaw in where installations of freipa/RHEIPA exposed the Master Kerberos Password through anonymous queries. The Master Kerberos Password is used to encrypt keys, however this flaw does not lead to individual keys being exposed. By itself this flaw has limited scope, but could be combined with a different flaw which could reveal user credentials.
Simo, Any update on this?
We have almost all pieces ready. Still testing the latest scripts on various configurations.
Created attachment 314591 [details] Make our plugin reload the master key every time This patch allows a smooth transition greatly reducing the risk that a password change being performed during the data re-encryption is stored with the wrong key.
Created attachment 314592 [details] Script that allows people to change the master key This tool is part of the fix for the security issue. It generates a new random master key and re-encrypts all the data in the directory with the new master key.
Created attachment 314593 [details] Fixies install scripts for new installations This is the code fix for new installations
Created attachment 314594 [details] Script to help admins handle the security problem This script is optional but should make the life of admins dealing with the problem much easier. It is a trhow-away script targeted to closing this specific vulnerability.
why is this bug logged against product "Security Response" ? Do you mind if I move it to product "Red Hat Enterprise IPA" ? or would you prefer that I create a separate bug ?
As long as the bug does not become public and bressers is ok with that I am fine either way, as long as we don't start commenting in 2 separate places.
I will create an IPA bug. the only purpose for that bug should be for checking things into CVS though. All comments and relevant information belongs in this bug.
Created attachment 314983 [details] Makes the dirsrv plugin fetch the master key at each password change
Created attachment 314984 [details] The dump utility may set the expiration date to 0 which is a special value to be ignored or the account will stop working
Created attachment 314985 [details] The dump utility may set some flags that produced invalid keys, comment out offending paths
Created attachment 314986 [details] Utility functions needed by the scripts used to close the issue
Created attachment 314987 [details] Utility to change the master key
Created attachment 314988 [details] Source fixes for new installations
Created attachment 314989 [details] Auxiliary utility to help administrators to close the issue
Attached the new patches committed to RHEIPA 1.0 after backporting from the master tree and testing on RHEL5
Lifting embargo
ipa-1.1.0-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
ipa-1.1.0-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise IPA: http://rhn.redhat.com/errata/RHSA-2008-0860.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-7987 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8003