Re: [Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys

[Martin Basti]

On 12.07.2016 16:45, Christian Heimes wrote:
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

The server.keys file and all keys are now removed when during
uninstallation of a server, too.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6015
https://fedorahosted.org/freeipa/ticket/6056


NACK

ipa-server-install --uninstall doesn't work

2016-07-19T15:00:34Z INFO Remove Custodia keys
2016-07-19T15:00:34Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
line 91, in _handle_exception
    super(Continuous, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 446, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
line 71, in _uninstall
    for nothing in self._uninstaller(self.parent):
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 1367, in main
    uninstall(self)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 265, in decorated
    func(installer)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 1075, in uninstall
    custodiainstance.CustodiaInstance().uninstall()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
line 88, in uninstall
    self.__remove_keys()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
line 74, in __remove_keys
    keystore.remove_server_keys()
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", 
line 224, in remove_server_keys
    self.remove_keys('host')
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", 
line 231, in remove_keys
    ldapconn.remove_key(KEY_USAGE_SIG, principal)
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", 
line 145, in remove_key
    conn = self.connect()
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/common.py", 
line 38, in connect
    conn.sasl_interactive_bind_s('', auth_tokens)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 
244, in sasl_interactive_bind_s
    return 
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 
106, in _ldap_call
    result = func(*args,**kwargs)
SERVER_DOWN: {'desc': "Can't contact LDAP server"}

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code