RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 744422 - Leaks KDC password and master password via command line arguments
Summary: Leaks KDC password and master password via command line arguments
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: All
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
: 745580 (view as bug list)
Depends On: 744373 745580
Blocks: 748554
TreeView+ depends on / blocked
 
Reported: 2011-10-08 15:23 UTC by Dmitri Pal
Modified: 2011-12-06 18:42 UTC (History)
3 users (show)

Fixed In Version: ipa-2.1.3-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: When the IPA server is being installed ipa-server-install call kdb5_ldap_util to populate the directory with realm info. It passes a Kerberos master database password and Kerberos directory password as its parameters. Consequence: Any user listing all running processes during IPA server installation may be able to catch these passwords Fix: kdb5_ldap_util interactive mode is used to pass the passwords rather that CLI parameters Result: Passwords are not visible in process listing during IPA server installation so that no user can catch them
Clone Of: 744373
Environment:
Last Closed: 2011-12-06 18:42:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 0 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Dmitri Pal 2011-10-08 15:23:12 UTC 
+++ This bug was initially created as a clone of Bug #744373 +++

ipa-server leaks KDC password and master password via command line arguments, 
in krbinstance.py --> (in both IPAv1 and IPAv2) 
the following code can be found 

class KrbInstance(service.Service):
...
..

    def __create_instance(self, replica=False):
        self.__template_file("/var/kerberos/krb5kdc/kdc.conf")
        self.__template_file("/etc/krb5.conf")
        self.__template_file("/usr/share/ipa/html/krb5.ini")
        self.__template_file("/usr/share/ipa/html/krb.con")
        self.__template_file("/usr/share/ipa/html/krbrealm.con")

        if not replica:
            #populate the directory with the realm structure
            args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
            try:
                ipautil.run(args, nolog=(self.kdc_password, self.master_password))
            except ipautil.CalledProcessError, e:
                print "Failed to populate the realm structure in kerberos", e


so if the code under 
        if not replica:
gets executed the kdc_password and master_password will be leaked on the system (one should be able to use ps -ef to view the leaked  password information).

kdb5_ldap_util recommends against the use of -P and -w.
I haven't verified this bug as I do not have a working copy of Fedora or RHEL to test on.

--- Additional comment from dpal on 2011-10-08 11:22:20 EDT ---

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1948
Comment 1 Martin Kosek 2011-10-13 08:20:29 UTC 
*** Bug 745580 has been marked as a duplicate of this bug. ***
Comment 2 Martin Kosek 2011-10-13 08:21:43 UTC 
Fixed upstream:

master: 0d823ddc4e5fa7f8bdecb590b4ebd129106b063f
ipa-2-1: 7a5d906d03af6ee551036a841f71082fc66fa41b
Comment 3 Jenny Severance 2011-10-13 16:51:38 UTC 
Needs steps to reproduce/verify this bug.
Comment 4 Rob Crittenden 2011-10-13 17:21:41 UTC 
Can by partly verified by code inspection: are we using the -P and -w options any more?

Installing the server successfully confirms that the patch does not cause a regression. If Kerberos works at all with the resulting server then the patch is ok.
Comment 6 Jenny Severance 2011-10-26 16:48:46 UTC 
verified:

<snip>
  def __create_instance(self, replica=False):
        self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None)
        self.__template_file("/etc/krb5.conf")
        self.__template_file("/usr/share/ipa/html/krb5.ini")
        self.__template_file("/usr/share/ipa/html/krb.con")
        self.__template_file("/usr/share/ipa/html/krbrealm.con")

        if not replica:
            #populate the directory with the realm structure
            args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "create", "-s", "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
            dialogue = (
                # Password for "uid=kdc,cn=sysaccounts,cn=etc,...":
                self.kdc_password + '\n',
                # Enter KDC database master key:
                self.master_password + '\n',
                # Re-enter KDC database master key to verify:
                self.master_password + '\n',
            )
            try:
                ipautil.run(args, nolog=(self.kdc_password, self.master_password), stdin=''.join(dialogue))
            except ipautil.CalledProcessError, e:
                print "Failed to populate the realm structure in kerberos", e

</snip>

version:
ipa-server-2.1.3-3.el6.x86_64
Comment 7 Martin Kosek 2011-10-31 19:33:42 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When the IPA server is being installed ipa-server-install call kdb5_ldap_util to populate the directory with realm info. It passes a Kerberos master database password and Kerberos directory password as its parameters. 
Consequence: Any user listing all running processes during IPA server installation may be able to catch these passwords
Fix: kdb5_ldap_util interactive mode is used to pass the passwords rather that CLI parameters
Result: Passwords are not visible in process listing during IPA server installation so that no user can catch them
Comment 8 errata-xmlrpc 2011-12-06 18:42:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.