Re: [Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys

Wed, 03 Aug 2016 11:23:43 -0700 


On 03.08.2016 19:18, Martin Basti wrote:




On 02.08.2016 20:02, Christian Heimes wrote:

On 2016-07-19 17:03, Martin Basti wrote:

On 12.07.2016 16:45, Christian Heimes wrote:

Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

The server.keys file and all keys are now removed when during
uninstallation of a server, too.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6015
https://fedorahosted.org/freeipa/ticket/6056



NACK

ipa-server-install --uninstall doesn't work

I fixed it by splitting up uninstallation into two parts:

1) the server_del plugin takes care of the LDAP entries
2) CustodiaInstance.uninstall() removes the local key file



Hello,

1)

Is expected that after removing replica, ipa server-del 
vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in LDAP on 
master (vm-058-107)?



# sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc, 
abc.idm.lab.en

 g.brq.redhat.com

dn: 
cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=

 abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
objectClass: nsContainer
objectClass: ipaKeyPolicy
objectClass: ipaPublicKeyObject
objectClass: groupOfPrincipals
objectClass: top
cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com
ipaKeyUsage: digitalSignature

memberPrincipal: 
host/vm-012.abc.idm.lab.eng.brq.redhat....@abc.idm.lab.eng.br

 Q.REDHAT.COM

ipaPublicKey:: 
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD

 cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31
 hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq
 3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd
 g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk
 DR8V2H1rJ0AiVPQIDAQAB


# enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc, 
abc.idm.lab.en

 g.brq.redhat.com

dn: 
cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=

 abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
objectClass: nsContainer
objectClass: ipaKeyPolicy
objectClass: ipaPublicKeyObject
objectClass: groupOfPrincipals
objectClass: top
cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com
ipaKeyUsage: dataEncipherment

memberPrincipal: 
host/vm-012.abc.idm.lab.eng.brq.redhat....@abc.idm.lab.eng.br

 Q.REDHAT.COM

ipaPublicKey:: 
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO

 eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0
 ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd
 Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r
 j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz
 TIp7oPmFWMG/q1QIDAQAB

Also see them on replica as well (which was removed from topology)
I did not find any errors in http log

2)

I tried hard, but I cannot see relation between 
https://fedorahosted.org/freeipa/ticket/6015 and 
https://fedorahosted.org/freeipa/ticket/6056
IMO it should be separated into two patches, to make easier backports, 
patching and make life easier in future with git blame


There should not be a BZ, only upstream tickets in commit

3)

IMO ti should be 'Removing' not 'Remove', I'm not native speaker, but 
it looks more consistent with the rest of log entries


INFO Remove Custodia keys

4)
the same for
root_logger.info("Secure server.keys mode"), IMHO it should be 'Securing'

5)

What is the purpose of remove_server_keys() in KEM.py  . I see usage 
only in manual testing. Can it be reused in server.py ? Because it 
looks like duplicated code for me, but correct me if I'm wrong.


Martin^2








I received this when I tried to uninstall already uninstalled replica 
(calling ipa-replica-install -U --uninstall twice)



2016-08-03T17:45:13Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-08-03T17:45:13Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'

2016-08-03T17:45:13Z INFO Remove Custodia keys
2016-08-03T17:45:13Z DEBUG Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
line 91, in _handle_exception

    super(Continuous, self)._handle_exception(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception

    six.reraise(*exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 446, in _handle_exception

    super(ComponentBase, self)._handle_exception(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception

    six.reraise(*exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 362, in __runner

    step()

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 359, in <lambda>

    step = lambda: next(self.__gen)

  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from

    six.reraise(*exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from

    value = gen.send(prev_value)

  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
line 71, in _uninstall

    for nothing in self._uninstaller(self.parent):

  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 1375, in main

    uninstall(self)

  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 266, in decorated

    func(installer)

  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 1076, in uninstall

    custodiainstance.CustodiaInstance().uninstall()

  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
line 88, in uninstall

    self.__remove_keys()

  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
line 72, in __remove_keys

    keystore = IPAKEMKeys({'server_keys': self.server_keys})

  File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", 
line 193, in __init__

    self.host = conf.get('global', 'host')
  File "/usr/lib64/python2.7/ConfigParser.py", line 607, in get
    raise NoSectionError(section)
NoSectionError: No section: 'global'


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code





















					Reply via email to