Bug 674515 – -p option always uses empty string to obfuscate password.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 674515 - -p option always uses empty string to obfuscate password.

Summary:	-p option always uses empty string to obfuscate password.

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2011-02-02 04:39 EST by Gowrishankar Rajaiyan
Modified:	2015-01-04 18:46 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	sssd-1.5.1-5.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-05-19 07:38:31 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
sssd_default.log (30.41 KB, application/octet-stream) 2011-02-02 04:39 EST, Gowrishankar Rajaiyan	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0560	normal	SHIPPED_LIVE	Low: sssd security, bug fix, and enhancement update	2011-05-19 07:38:17 EDT

Groups: None (edit)

Description Gowrishankar Rajaiyan 2011-02-02 04:39:05 EST

Created attachment 476536 [details]
sssd_default.log

Description of problem:
-p option when used to obfuscate a password uses a empty string as obfuscated password and causes bind to fail.

Version-Release number of selected component (if applicable):
sssd-1.5.1-3.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure sssd for native ldap domain. (see addiitonal info for relevant config)
2. sss_obfuscate --password=Secret123 
3. CTRL-D to exit
4. restart sssd after clearing cache.
  
Actual results:
User enumeration fails.

Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [simple_bind_send] (4): Executing simple bind as: uid=puser1,ou=People,dc=example,dc=com
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [simple_bind_send] (8): ldap simple bind sent, msgid = 2
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: sh[0x85fe20], connected[1], ops[0x931f80], ldap[0x868890]
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: ldap_result found nothing!
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: sh[0x85fe20], connected[1], ops[0x931f80], ldap[0x868890]
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [simple_bind_done] (5): Server returned no controls.
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [simple_bind_done] (3): Bind result: Server is unwilling to perform(53), Unauthenticated binds are not allowed
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [fo_set_port_status] (4): Marking port 636 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [sdap_handle_release] (8): Trace: sh[0x85fe20], connected[1], ops[(nil)], ldap[0x868890], destructor_lock[0], release_memory[0]
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [remove_connection_callback] (9): Successfully removed connection callback.
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [sdap_id_op_connect_done] (9): attempting failover retry on op #1
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [sdap_id_op_connect_step] (9): beginning to connect
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [fo_resolve_service_send] (4): Trying to resolve service 'LDAP'
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [get_server_status] (7): Status of server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [get_port_status] (7): Port status of port 636 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [fo_resolve_service_send] (1): No available servers for service 'LDAP'
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [sdap_id_release_conn_data] (9): releasing unused connection
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [sdap_id_op_connect_done] (1): Failed to connect, going offline (5 [Input/output error])
(Wed Feb  2 15:02:03 2011) [sssd[be[default]]] [be_mark_offline] (8): Going offline!


Expected results:
User enumerated successfully.

Additional info:
Relevant section of sssd.conf
[domain/default]
ldap_tls_reqcert = demand
auth_provider = ldap
ldap_schema = rfc2307
ldap_default_authtok_type = obfuscated_password
ldap_search_base = dc=example,dc=com
id_provider = ldap
ldap_id_use_start_tls = False
ldap_default_bind_dn = uid=puser1,ou=People,dc=example,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
debug_level = 9
ldap_uri = ldaps://sssdldap.idm.lab.bos.redhat.com:636
enumerate = True
cache_credentials = True
ldap_default_authtok = AAAQAL28uMMnSp3jTD1Tj4l0c9KFJ+cx/eSCfDXc+2OR+sZOrzMeapsM10Axz45PCQH6x5zzYdct+khRDQGO39adCRwAAQIDAAA=
ldap_tls_cacertdir = /etc/openldap/cacerts

Comment 2 Stephen Gallagher 2011-02-03 12:33:42 EST

We are going to drop the -p option as it's not advisable to pass the password on the command-line anyway.

Comment 5 Gowrishankar Rajaiyan 2011-03-21 03:02:36 EDT

Verified that "-p" option has been dropped.

[root@pogolinux-2 ~]# sss_obfuscate -d LDAP -p
Usage: sss_obfuscate [options]

sss_obfuscate: error: no such option: -p


[root@pogolinux-2 ~]# sss_obfuscate -h
Usage: sss_obfuscate [options]

sss_obfuscate converts a given password into
human-unreadable format and places it into
appropriate domain section of the SSSD config
file. The password can be passed in by stdin,
specified on the command-line or entered
interactively

Options:
  -h, --help            show this help message and exit
  -s, --stdin           Read the password from stdin.
  -d DOMNAME, --domain=DOMNAME
                        The domain to use the password in (mandatory)
  -f FILE, --file=FILE  Set input file to FILE (default: Use system default,
                        usually /etc/sssd/sssd.conf)


# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 14.el6                        Build Date: Wed 09 Mar 2011 02:30:12 PM EST
Install Date: Mon 21 Mar 2011 01:14:19 AM EDT      Build Host: x86-009.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-14.el6.src.rpm
Size        : 3418526                          License: GPLv3+
Signature   : RSA/8, Thu 10 Mar 2011 11:27:42 AM EST, Key ID 938a80caf21541eb
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 6 errata-xmlrpc 2011-05-19 07:38:31 EDT

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html

Comment 7 errata-xmlrpc 2011-05-19 09:09:27 EDT

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html

Note You need to log in before you can comment on or make changes to this bug.