Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
On 11.7.2013 20:51, Rob Crittenden wrote: Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3717. Also added a small patch to fix a formatting issue with installutils.read_password. Honza Functionally ok but I found it very jarring the way the passwords were prompted for. I think they should be moved after the realm question and the text should be more than just the path to the filename. rob Moved the prompt and changed the text to Enter file unlock password. Updated patches attached. Honza -- Jan Cholasta From 992080e556036afe35c39092a5326c3267d8edf1 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 9 Jul 2013 10:23:47 + Subject: [PATCH 1/3] Ask for PKCS#12 password interactively in ipa-server-install. https://fedorahosted.org/freeipa/ticket/3717 --- install/tools/ipa-server-install | 73 ++-- 1 file changed, 48 insertions(+), 25 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index cc88a0b..fed2004 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -276,14 +276,20 @@ def parse_options(): if not options.forwarders and not options.no_forwarders: parser.error(You must specify at least one --forwarder option or --no-forwarders option) -# If any of the PKCS#12 options are selected, all are required. Create a -# list of the options and count it to enforce that all are required without -# having a huge set of it blocks. -pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] -cnt = pkcs12.count(None) -if cnt 0 and cnt 4: +# If any of the PKCS#12 options are selected, all are required. +pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) +pkcs12_opt = (options.pkinit_pkcs12,) +if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): parser.error(All PKCS#12 options are required if any are used.) +if options.unattended: +if options.dirsrv_pkcs12 and not options.dirsrv_pin: +parser.error(You must specify --dirsrv_pin with --dirsrv_pkcs12) +if options.http_pkcs12 and not options.http_pin: +parser.error(You must specify --http_pin with --http_pkcs12) +if options.pkinit_pkcs12 and not options.pkinit_pin: +parser.error(You must specify --pkinit_pin with --pkinit_pkcs12) + if options.dirsrv_pkcs12 and not options.root_ca_file: parser.error( --root-ca-file must be given with the PKCS#12 options.) @@ -704,18 +710,6 @@ def main(): sys.exit(1) cert = certdict[certissuer] -if options.http_pkcs12: -http_pin_file = ipautil.write_tmp_file(options.http_pin) -http_pkcs12_info = (options.http_pkcs12, http_pin_file.name) - -if options.dirsrv_pkcs12: -dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin) -dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name) - -if options.pkinit_pkcs12: -pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin) -pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name) - # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: setup_ca = False @@ -834,13 +828,6 @@ def main(): else: domain_name = options.domain_name -if options.http_pkcs12: -# Check the given PKCS#12 files -ca_file = options.root_ca_file -check_pkcs12 = installutils.check_pkcs12 -http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name) -dirsrv_cert_name = check_pkcs12(dirsrv_pkcs12_info, ca_file, host_name) - domain_name = domain_name.lower() ip = get_server_ip_address(host_name, fstore, options.unattended, options) @@ -858,6 +845,42 @@ def main(): if not options.subject: options.subject = DN(('O', realm_name)) +ca_file = options.root_ca_file + +if options.http_pkcs12: +if not options.http_pin: +options.http_pin = installutils.read_password( +Enter %s unlock % options.http_pkcs12, +confirm=False, validate=False) +if options.http_pin is None: +sys.exit(%s unlock password required % options.http_pkcs12) +http_pin_file = ipautil.write_tmp_file(options.http_pin) +http_pkcs12_info = (options.http_pkcs12, http_pin_file.name) +http_cert_name = installutils.check_pkcs12( +http_pkcs12_info, ca_file, host_name) + +if options.dirsrv_pkcs12: +if not options.dirsrv_pin: +options.dirsrv_pin = installutils.read_password( +Enter %s unlock % options.dirsrv_pkcs12, +confirm=False, validate=False) +if options.dirsrv_pin is None: +sys.exit(%s unlock password
Re: [Freeipa-devel] [PATCH 0173] Improve logging for cases where SOA serial autoincrementation failed
On 07/11/2013 12:24 PM, Petr Spacek wrote: Hello, Improve logging for cases where SOA serial autoincrementation failed. ACK Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
Functionally ok but I found it very jarring the way the passwords were prompted for. I think they should be moved after the realm question and the text should be more than just the path to the filename. rob Moved the prompt and changed the text to Enter file unlock password. Updated patches attached. Honza Just a nitpick: +# If any of the PKCS#12 options are selected, all are required. +pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) +pkcs12_opt = (options.pkinit_pkcs12,) +if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): parser.error(All PKCS#12 options are required if any are used.) This error message is somewhat misleading, since --pkinit-pkcs12 options is not required. Tomas___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1103 Add Camellia ciphers
Add the Camellia ciphers to the supported list in the KDC. Also exclude some attributes from being displayed in LDAP updater logs. rob From 713dbff6566947ddec5bd41a04375012accfc8f6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Fri, 12 Jul 2013 10:41:23 -0400 Subject: [PATCH] Add Camellia ciphers to allowed list, don't log some attributes in updater. The LDAP updater prints the initial and final states of an entry, as well as details on the changes made to attributes. This has the potential to expose sensitive values so exclude those from logging. https://fedorahosted.org/freeipa/ticket/3749 --- install/share/kerberos.ldif | 4 +++ install/updates/50-krbenctypes.update | 5 +++ install/updates/Makefile.am | 1 + ipaserver/install/ldapupdate.py | 66 +-- 4 files changed, 57 insertions(+), 19 deletions(-) create mode 100644 install/updates/50-krbenctypes.update diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif index 4778a6b4df1eb5c52c4ef73f27b4409bb1c394fd..41e77952adafaf28bfaa96b4c1f1a81ef96348be 100644 --- a/install/share/kerberos.ldif +++ b/install/share/kerberos.ldif @@ -22,6 +22,10 @@ krbSupportedEncSaltTypes: des3-hmac-sha1:normal krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal krbSupportedEncSaltTypes: arcfour-hmac:special +krbSupportedEncSaltTypes: camellia128-cts-cmac:normal +krbSupportedEncSaltTypes: camellia128-cts-cmac:special +krbSupportedEncSaltTypes: camellia256-cts-cmac:normal +krbSupportedEncSaltTypes: camellia256-cts-cmac:special krbMaxTicketLife: 86400 krbMaxRenewableAge: 604800 krbDefaultEncSaltTypes: aes256-cts:special diff --git a/install/updates/50-krbenctypes.update b/install/updates/50-krbenctypes.update new file mode 100644 index ..ef419bc44051b289c774bce57db73b6d8c9f641c --- /dev/null +++ b/install/updates/50-krbenctypes.update @@ -0,0 +1,5 @@ +dn: cn=$REALM,cn=kerberos,$SUFFIX +add: krbSupportedEncSaltTypes: camellia128-cts-cmac:normal +add: krbSupportedEncSaltTypes: camellia128-cts-cmac:special +add: krbSupportedEncSaltTypes: camellia256-cts-cmac:normal +add: krbSupportedEncSaltTypes: camellia256-cts-cmac:special diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 5336f62ed97aba125ca8f1ae7c3e3505bb7ff3ea..40c3b3c8916faa267254a29d0f458ca53201950c 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -39,6 +39,7 @@ app_DATA =\ 50-lockout-policy.update \ 50-groupuuid.update \ 50-hbacservice.update \ + 50-krbenctypes.update \ 50-nis.update \ 50-ipaconfig.update \ 55-pbacmemberof.update \ diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 8f3e89249084aadfef27f63b65d6e74ffa0fc0ad..35191e7aeebde2c9a4f608a0e7d17f3da31e6cf8 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -58,6 +58,29 @@ class BadSyntax(installutils.ScriptError): def __str__(self): return repr(self.value) +def safe_output(attr, values): + +Sanitizes values we do not want logged, like passwords. + +This should be called in all debug statements that output values. + +This list does not necessarily need to be exhaustive given the limited +scope of types of values that the updater manages. + +This only supports lists, tuples and strings. If you pass a dict you may +get a string back. + +sensitive_attributes = ['krbmkey', 'userpassword', 'passwordhistory', 'krbprincipalkey', 'sambalmpassword', 'sambantpassword', 'ipanthash'] + +if attr.lower() in sensitive_attributes: +if type(values) in (tuple, list): +# try to still look a little like what is in LDAP +return ['XXX'] * len(values) +else: +return '' +else: +return values + class LDAPUpdate: action_keywords = [default, add, remove, only, onlyifexist, deleteentry, replace, addifnew, addifexist] @@ -572,51 +595,51 @@ class LDAPUpdate: for update_value in update_values: if action == 'remove': -self.debug(remove: '%s' from %s, current value %s, update_value, attr, entry_values) +self.debug(remove: '%s' from %s, current value %s, safe_output(attr, update_value), attr, safe_output(attr,entry_values)) try: entry_values.remove(update_value) except ValueError: self.warning(remove: '%s' not in %s, update_value, attr) pass entry[attr] = entry_values -self.debug('remove: updated value %s', entry_values) +self.debug('remove: updated value %s', safe_output(attr, entry_values)) elif action == 'add': -self.debug(add: '%s' to %s,
[Freeipa-devel] [PATCH] 0043 Fix internal error in idrange-add
Hello, This patch fixes https://fedorahosted.org/freeipa/ticket/3781 -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 9c4d1df6592deb4c8b57907213486bee54c1ae1c Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Fri, 12 Jul 2013 17:12:07 +0200 Subject: [PATCH] Fix internal error in idrange-add Fix internal error in idrange-add, caused by a missing 'name' argument of ValidationError. https://fedorahosted.org/freeipa/ticket/3781 --- ipalib/plugins/idrange.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 7f8c1ab7b265230c3dd5b0263f763ddf398c..06fcc4fc7232ea7080edb358c65948bfdd47289b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -493,7 +493,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # TODO: can also be ipa-ad-winsync here? if entry_attrs['iparangetype'] in (u'ipa-ad-trust', u'ipa-ad-trust-posix'): -raise errors.ValidationError('ID Range setup', +raise errors.ValidationError(name='ID Range setup', error=_('IPA Range type must not be one of ipa-ad-trust ' 'or ipa-ad-trust-posix when SID of the trusted ' 'domain is not specified.')) -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1103 Add Camellia ciphers
On Fri, 12 Jul 2013, Rob Crittenden wrote: Add the Camellia ciphers to the supported list in the KDC. Also exclude some attributes from being displayed in LDAP updater logs. ACK if you split the patches into separate for logging and adding Camelia cyphers, for maintenance purposes (easier to cherry-pick). Thanks! -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0043 Fix internal error in idrange-add
On Fri, 12 Jul 2013, Ana Krivokapic wrote: Hello, This patch fixes https://fedorahosted.org/freeipa/ticket/3781 ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1103 Add Camellia ciphers
Rob Crittenden wrote: Add the Camellia ciphers to the supported list in the KDC. Also exclude some attributes from being displayed in LDAP updater logs. rob I've split the Camellia patch out from the updater patch to clarify things. rob From 5a26ad3f0e76f507b6d31bca99efba85b356064e Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Fri, 12 Jul 2013 11:28:20 -0400 Subject: [PATCH] Add Camellia ciphers to allowed list. https://fedorahosted.org/freeipa/ticket/3749 --- install/share/kerberos.ldif | 4 install/updates/50-krbenctypes.update | 5 + install/updates/Makefile.am | 1 + 3 files changed, 10 insertions(+) create mode 100644 install/updates/50-krbenctypes.update diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif index 4778a6b4df1eb5c52c4ef73f27b4409bb1c394fd..41e77952adafaf28bfaa96b4c1f1a81ef96348be 100644 --- a/install/share/kerberos.ldif +++ b/install/share/kerberos.ldif @@ -22,6 +22,10 @@ krbSupportedEncSaltTypes: des3-hmac-sha1:normal krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal krbSupportedEncSaltTypes: arcfour-hmac:special +krbSupportedEncSaltTypes: camellia128-cts-cmac:normal +krbSupportedEncSaltTypes: camellia128-cts-cmac:special +krbSupportedEncSaltTypes: camellia256-cts-cmac:normal +krbSupportedEncSaltTypes: camellia256-cts-cmac:special krbMaxTicketLife: 86400 krbMaxRenewableAge: 604800 krbDefaultEncSaltTypes: aes256-cts:special diff --git a/install/updates/50-krbenctypes.update b/install/updates/50-krbenctypes.update new file mode 100644 index ..ef419bc44051b289c774bce57db73b6d8c9f641c --- /dev/null +++ b/install/updates/50-krbenctypes.update @@ -0,0 +1,5 @@ +dn: cn=$REALM,cn=kerberos,$SUFFIX +add: krbSupportedEncSaltTypes: camellia128-cts-cmac:normal +add: krbSupportedEncSaltTypes: camellia128-cts-cmac:special +add: krbSupportedEncSaltTypes: camellia256-cts-cmac:normal +add: krbSupportedEncSaltTypes: camellia256-cts-cmac:special diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 5336f62ed97aba125ca8f1ae7c3e3505bb7ff3ea..40c3b3c8916faa267254a29d0f458ca53201950c 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -39,6 +39,7 @@ app_DATA =\ 50-lockout-policy.update \ 50-groupuuid.update \ 50-hbacservice.update \ + 50-krbenctypes.update \ 50-nis.update \ 50-ipaconfig.update \ 55-pbacmemberof.update \ -- 1.8.3.1 From ba73e80e67984a4c8e5456a80cd085308043511d Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Fri, 12 Jul 2013 11:28:43 -0400 Subject: [PATCH] Hide sensitive attributes in LDAP updater logging and output The LDAP updater prints the initial and final states of an entry, as well as details on the changes made to attributes. This has the potential to expose sensitive values so exclude those from logging. https://fedorahosted.org/freeipa/ticket/3782 --- ipaserver/install/ldapupdate.py | 66 + 1 file changed, 47 insertions(+), 19 deletions(-) diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 8f3e89249084aadfef27f63b65d6e74ffa0fc0ad..35191e7aeebde2c9a4f608a0e7d17f3da31e6cf8 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -58,6 +58,29 @@ class BadSyntax(installutils.ScriptError): def __str__(self): return repr(self.value) +def safe_output(attr, values): + +Sanitizes values we do not want logged, like passwords. + +This should be called in all debug statements that output values. + +This list does not necessarily need to be exhaustive given the limited +scope of types of values that the updater manages. + +This only supports lists, tuples and strings. If you pass a dict you may +get a string back. + +sensitive_attributes = ['krbmkey', 'userpassword', 'passwordhistory', 'krbprincipalkey', 'sambalmpassword', 'sambantpassword', 'ipanthash'] + +if attr.lower() in sensitive_attributes: +if type(values) in (tuple, list): +# try to still look a little like what is in LDAP +return ['XXX'] * len(values) +else: +return '' +else: +return values + class LDAPUpdate: action_keywords = [default, add, remove, only, onlyifexist, deleteentry, replace, addifnew, addifexist] @@ -572,51 +595,51 @@ class LDAPUpdate: for update_value in update_values: if action == 'remove': -self.debug(remove: '%s' from %s, current value %s, update_value, attr, entry_values) +self.debug(remove: '%s' from %s, current value %s, safe_output(attr, update_value), attr, safe_output(attr,entry_values)) try: entry_values.remove(update_value) except ValueError: