[Freeipa-devel] [freeipa PR#387][opened] Update warning message for ipa server uninstall
URL: https://github.com/freeipa/freeipa/pull/387 Author: Akasurde Title: #387: Update warning message for ipa server uninstall Action: opened PR body: """ Fix adds an additional recommendation message for taking backup of existing data and configuration before proceeding to ipa server uninstallation procedures. Fixes https://fedorahosted.org/freeipa/ticket/6548 Signed-off-by: Abhijeet Kasurde""" To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/387/head:pr387 git checkout pr387 From e8b41123eeece180b9a072736e33694e74c46394 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Wed, 11 Jan 2017 11:15:48 +0530 Subject: [PATCH] Update warning message for ipa server uninstall Fix adds an additional recommendation message for taking backup of existing data and configuration before proceeding to ipa server uninstallation procedures. Fixes https://fedorahosted.org/freeipa/ticket/6548 Signed-off-by: Abhijeet Kasurde --- ipaserver/install/server/install.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index fc319d9..b71a32f 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -975,7 +975,9 @@ def uninstall_check(installer): if installer.interactive: print("\nThis is a NON REVERSIBLE operation and will delete all data " - "and configuration!\n") + "and configuration!\nIt is highly recommended to take a backup of " + "existing data and configuration using ipa-backup utility " + "before proceeding.\n") if not user_input("Are you sure you want to continue with the " "uninstall procedure?", False): raise ScriptError("Aborting uninstall operation.") -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication
On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote: > Hi Fraser, > > I have some rather inane comments. I guess Jan cholasta will do a more > thorough review of your design. See below: > > On 01/06/2017 09:08 AM, Fraser Tweedale wrote: > > Hi comrades, > > > > I have written up the high-level details of the FreeIPA->Dogtag > > GSS-API authentication design. The goal is improve security by > > removing an egregious privilege separation violation: the RA Agent > > cert. > > > > There is a fair bit of work still to do on the Dogtag side but > > things are shaping up there and it's time to work out the IPA > > aspects. The design is at: > > > > http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication > > first of all, you link a internal document from publicly available design > page. you should prepare a publicly visible version of the Dogtag-side > design and link that. > Will do; thanks. > It would also be nice to have a high-level graphical representation of the > proposed CSR processing workflow. I think you can re-use the one that is in > the Dogtag part, omit the Dogtag internals and add IPA-specific parts. > I will definitely do this a bit later, once more details of IPA design are established. > > > > Right now, I need feedback about the Domain Level aspects: whether > > it is the right approach, whether there are mechanisms to perform > > update steps (specifically: LDAP updates and/or api calls) alongside > > a DL bump, or if there aren't, how to deal with that (implement such > > a mechanism, make admins do extra steps, ???). > > > > Is the DL bump really necessary? Are you sure we really can not just update > the profile configuration and let older Dogtag installation handle it > gracefully? IIRC we have done some profile inclusion work in 4.2 development > and on and never really bothered about older Dogtag understanding them. > The problem is that the new profiles will refer to plugins (i.e. classes) that do not exist in older versions of Dogtag. Profile config is replicated, so if we upgrade profile config with old versions of Dogtag in the topology, it breaks them. I considered a mechanism where multiple versions of a profile exist in LDAP (i.e. multiple attribute values), and Dogtag picks the one that's "right" for it. (An example of how to do this might be attribute tagging where tag indicates minimum version of Dogtag containing components used in that profile version, and Dogag picks the highest that it supports). The advantage of such a mechanism is that we could use it for any future scenario where we introduce new profile components that we want to use in IPA. The downside is that it significantly complicates profile management (including for administrators), and can result in the same profile having different behaviour on different Dogtag instances, which could be confusing and make it harder to diagnose issues. Given the tradeoffs, I think a DL bump is preferable. > Anyway I guess we can call `certprofile-import' to load > ExternalProcessConstraint-enabled profile upon setting domain level to 2, we > just have to know where on the FS it is located. > > > Of course, any other general or specific feedback is welcome. > > > > Thanks, > > Fraser > > > > So if I understand correctly there will be no change in CA ACL management > interface and only the code which evaluates them will be factored out into > 'ipa-pki-validate-cert-request' command? Also, wouldn't it simpler if the CA > ACL evaluation was delegated to a separate API command instead? > ExternalProcessConstraint would then only ask IPA JSON api and process the > response. > There are no changes to CA ACL management interface as part of this design, but there are proposals to extend/rework it in future, e.g. #6424, #6425, #6426. Having a separate command for CA ACL evaluation is a good idea, and a clean refactoring target. ExternalProcessConstraint is generic with no knowledge of IPA API, but 'pki-pki-validate-cert-request' can invoke the new API command. Thanks for your feedback, Martin! Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CSR autogeneration next steps
On 01/10/2017 01:58 AM, Jan Cholasta wrote: On 19.12.2016 21:59, Ben Lipton wrote: On 12/15/2016 11:11 PM, Ben Lipton wrote: On 12/12/2016 03:52 AM, Jan Cholasta wrote: On 5.12.2016 16:48, Ben Lipton wrote: Hi Jan, thanks for the comments. On 12/05/2016 04:25 AM, Jan Cholasta wrote: Hi Ben, On 3.11.2016 00:12, Ben Lipton wrote: Hi everybody, Soon I'm going to have to reduce the amount of time I spend on new development work for the CSR autogeneration project, and I want to leave the project in as organized a state as possible. So, I'm taking inventory of the work I've done in order to make sure that what's ready for review can get reviewed and the ideas that have been discussed get prototyped or at least recorded so they won't be forgotten. Thanks, I have some questions and comments, see below. Code that's ready for review (I will continue to put in as much time as needed to help get these ready for submission): - Current PR: https://github.com/freeipa/freeipa/pull/10 How hard would it be to update the PR to use the "new" interface from the design thread? By this I mean that currently there is a command (cert_get_requestdata), which creates a CSR from profile id + principal + helper, but in the design we discussed a command which creates a CertificationRequestInfo from profile id + principal + public key. Internally it could use the OpenSSL helper, no need to implement the full "new" design. With your build_requestinfo.c code below it looks like it should be pretty straightforward. This is probably doable with the cffi, but I'm concerned about usability. A user can run the current command to get a (reusable) script, and run the script to get a CSR. It works with keys in both PEM files and NSS databases already. If we change to outputting a CertificationRequestInfo, in order to make this usable on the command line, we'll need: - An additional tool to sign a CSR given a CertificationRequestInfo (for both types of key storage). - A way to extract a SubjectPublicKeyInfo structure from a key within the ipa command (like [1] but we need it for both types of key storage) Since as far as I know there's no standard encoding for files containing only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be writing and distributing these ourselves. I think that's where most of the extra work will come in. For PEM files, this is easily doable using python-cryptography (to extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and PyASN1 (to create a CSR from the CertificationRequestInfo and the signature). I didn't realize that python-cryptography knew about SubjectPublicKeyInfo structures, but indeed this seems to be pretty straightforward: key = load_pem_private_key(key_bytes, None, default_backend()) pubkey_info = key.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo) Thanks for letting me know this functionality already existed. I'm currently working on the step of signing the CertificationRequestInfo and creating a CSR from it. I think I have it working with pyasn1, but of course the "signature algorithm" for the CSR needs to be specified and implemented within the code since I'm not using a library that understands CSRs natively. The code I have currently always produces CSRs with the sha256WithRSAEncryption algorithm (DER-encode request info, SHA256, PKCS #1v1.5 padding, RSA encryption), and the OID for that algorithm is hardcoded in the output CSR. Is this ok or will we need more flexibility than that? For NSS databases, this will be trickier and will require calling C functions, as neither certutil nor python-nss provide a way to a) address existing keys in the database by key ID b) get SubjectPublicKeyInfo for a given key. This can be worked around by: 1. Generating a key + temporary certificate: n=$(head -c 40 /dev/urandom | base32) certutil -S -n $n -s CN=$n -x -t ,, 2. Extracting the public key from the certificate: certutil -L -n $n -a >temp.crt (extract the public key using python-cryptography) 3. Deleting the temporary certificate: certutil -D -n $n 4. Importing the newly issued certificate: certutil -A -n $n -t ,, -a Oof, thanks, I'm not sure I would have been able to come up with that. Can you generate a key without a temporary certificate if you use the NSS API, or does their model require every key to belong to a cert? As for encoding, the obvious choice is DER. It does not really matter there is no standard file format, as we won't be transferring these as files anyway. Agreed. I just meant there aren't tools already because this isn't a type of file one often needs to process. Would it be ok to stick with the current design in this PR? I'd feel much better if we could get the basic functionality into the repo and then iterate on it rather than changing the plan at this point. I can create a separate PR to change cert_get_requestdata to this new interface and at
[Freeipa-devel] [freeipa PR#386][opened] Tests: Add tree root domain role in legacy client tests
URL: https://github.com/freeipa/freeipa/pull/386 Author: gkaihorodova Title: #386: Tests: Add tree root domain role in legacy client tests Action: opened PR body: """ Legacy client tests inherits test cases from trust tests, that have role for tree root domain. That role was missing in legacy client tests. https://fedorahosted.org/freeipa/ticket/6600 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/386/head:pr386 git checkout pr386 From 3653a5a7e2b625b23b50f6412e6b01bada5ba0f5 Mon Sep 17 00:00:00 2001 From: Ganna KaihorodovaDate: Tue, 10 Jan 2017 15:17:40 +0100 Subject: [PATCH] Tests: Add tree root domain role in legacy client tests Legacy client tests inherits test cases from trust tests, that have role for tree root domain. That role was missing in legacy client tests. https://fedorahosted.org/freeipa/ticket/6600 --- ipatests/test_integration/test_legacy_clients.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py index 33958a2..8bd680a 100644 --- a/ipatests/test_integration/test_legacy_clients.py +++ b/ipatests/test_integration/test_legacy_clients.py @@ -385,14 +385,14 @@ class BaseTestLegacySSSDBefore19RedHat(object): advice_id = 'config-redhat-sssd-before-1-9' required_extra_roles = ['legacy_client_sssd_redhat'] -optional_extra_roles = ['ad_subdomain'] +optional_extra_roles = ['ad_subdomain', 'ad_treedomain'] class BaseTestLegacyNssPamLdapdRedHat(object): advice_id = 'config-redhat-nss-pam-ldapd' required_extra_roles = ['legacy_client_nss_pam_ldapd_redhat'] -optional_extra_roles = ['ad_subdomain'] +optional_extra_roles = ['ad_subdomain', 'ad_treedomain'] def clear_sssd_caches(self): tasks.clear_sssd_cache(self.master) @@ -402,7 +402,7 @@ class BaseTestLegacyNssLdapRedHat(object): advice_id = 'config-redhat-nss-ldap' required_extra_roles = ['legacy_client_nss_ldap_redhat'] -optional_extra_roles = ['ad_subdomain'] +optional_extra_roles = ['ad_subdomain', 'ad_treedomain'] def clear_sssd_caches(self): tasks.clear_sssd_cache(self.master) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#382][synchronized] [WIP] Py3 ipa-server-install fixes
URL: https://github.com/freeipa/freeipa/pull/382 Author: mbasti-rh Title: #382: [WIP] Py3 ipa-server-install fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/382/head:pr382 git checkout pr382 From 0ba8877d4f0a6e96d4e338a88f8638d00ad980b1 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Mon, 9 Jan 2017 11:53:59 +0100 Subject: [PATCH 01/10] py3: create_cert_db: write to file in a compatible way Py3 expect bytes to be writed using os.write. Instead of that using io module is more pythonic. https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/httpinstance.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index bacd5fc..ded0553 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import io import os import os.path import pwd @@ -314,9 +315,8 @@ def create_cert_db(self): # Create the password file for this db password = ipautil.ipa_generate_password() -f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, password) -os.close(f) +with io.open(pwd_file, 'w') as f: +f.write(password) ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"]) From f97b56d35539dbc091d20282e01b7a804c6f8732 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 10 Jan 2017 13:45:11 +0100 Subject: [PATCH 02/10] py3: service.py: replace mkstemp by NamedTemporaryFile NamedTemporaryfile can be used in more pythonic way and file can be opened in textual mode that is required with PY3 https://fedorahosted.org/freeipa/ticket/4985 --- ipapython/ipautil.py | 2 +- ipaserver/install/service.py | 9 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index e3e4611..34d10ef 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1, rnd = random.SystemRandom() todo_entropy = entropy_bits -password = '' +password = u'' # Generate required character classes: # The order of generated characters is fixed to comply with check in # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c. diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 6451f92..c96cd8b 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -208,10 +208,11 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, args += ["-H", ldap_uri] if dm_password: -[pw_fd, pw_name] = tempfile.mkstemp() -os.write(pw_fd, dm_password) -os.close(pw_fd) -auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as pw_file: +pw_name = pw_file.name +pw_file.write(dm_password) +auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root elif os.getegid() != 0: auth_parms = ["-Y", "GSSAPI"] From 381a6570f75a581d01e8ed57d701654ae36d388e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 12:42:23 +0100 Subject: [PATCH 03/10] py3: open temporary ldif file in text mode ldif parser uses file in text mode, so we have to open it in text mode in py3 Also values passed to parser should be bytes https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/dsinstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 89315b6..2721d88 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -582,14 +582,15 @@ def __update_dse_ldif(self): 'dse.ldif' ) -with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif: +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as new_dse_ldif: temp_filename = new_dse_ldif.name with open(dse_filename, "r") as input_file: parser = installutils.ModifyLDIF(input_file, new_dse_ldif) parser.replace_value( 'cn=config,cn=ldbm database,cn=plugins,cn=config', 'nsslapd-db-locks', -['5'] +[b'5'] ) if self.config_ldif: # parse modifications from ldif file supplied by the admin From
[Freeipa-devel] [freeipa PR#385][synchronized] Generate sha256 ssh pubkey fingerprints for hosts
URL: https://github.com/freeipa/freeipa/pull/385 Author: stlaz Title: #385: Generate sha256 ssh pubkey fingerprints for hosts Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/385/head:pr385 git checkout pr385 From 6744fc2410eefe48b5b685bde9bf70a5b3cc94be Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Mon, 12 Dec 2016 16:59:48 +0100 Subject: [PATCH] Generate sha256 ssh pubkey fingerprints for hosts Replace md5 with sha256 for host ssh pubkey fingerprints https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/util.py | 2 +- ipapython/ssh.py | 13 +++-- ipatests/test_xmlrpc/test_host_plugin.py | 2 +- ipatests/test_xmlrpc/test_idviews_plugin.py | 2 +- ipatests/test_xmlrpc/test_stageuser_plugin.py| 2 +- ipatests/test_xmlrpc/test_user_plugin.py | 2 +- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 2 +- 7 files changed, 13 insertions(+), 12 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index 1c00cd7..81c0e9e 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -301,7 +301,7 @@ def convert_sshpubkey_post(entry_attrs): except (ValueError, UnicodeDecodeError): continue -fp = pubkey.fingerprint_hex_md5() +fp = pubkey.fingerprint_hex_sha256() comment = pubkey.comment() if comment: fp = u'%s %s' % (fp, comment) diff --git a/ipapython/ssh.py b/ipapython/ssh.py index c76cf51..57752ae 100644 --- a/ipapython/ssh.py +++ b/ipapython/ssh.py @@ -25,8 +25,8 @@ import base64 import re import struct -from hashlib import md5, sha1 -from hashlib import sha256 #pylint: disable=E0611 +from hashlib import sha1 +from hashlib import sha256 # pylint: disable=E0611 import six @@ -190,10 +190,11 @@ def openssh(self): return out -def fingerprint_hex_md5(self): -fp = md5(self._key).hexdigest().upper() -fp = u':'.join([fp[j:j+2] for j in range(0, len(fp), 2)]) -return fp +def fingerprint_hex_sha256(self): +# OpenSSH trims the trailing '=' of base64 sha256 FP representation +# Using unicode argument converts the result to unicode object +fp = base64.b64encode(sha256(self._key).digest()).rstrip(u'=') +return 'SHA256:{fp}'.format(fp=fp) def _fingerprint_dns(self, fpfunc, fptype): if self._keytype == 'ssh-rsa': diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index b36c6b8..d4384e1 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -84,7 +84,7 @@ ipv6_fromip_ptr_dn = DN(('idnsname', ipv6_fromip_ptr), revipv6zone_dn) sshpubkey = u'ssh-rsa B3NzaC1yc2EDAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test' -sshpubkeyfp = u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)' +sshpubkeyfp = u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE public key test (ssh-rsa)' user1 = u'tuser1' user2 = u'tuser2' diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py index b1bb5ab..35d31b3 100644 --- a/ipatests/test_xmlrpc/test_idviews_plugin.py +++ b/ipatests/test_xmlrpc/test_idviews_plugin.py @@ -66,7 +66,7 @@ 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py index 4a859e8..e61bf7a 100644 --- a/ipatests/test_xmlrpc/test_stageuser_plugin.py +++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py @@ -40,7 +40,7 @@ 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') options_def = OrderedDict([ diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 7508578..c09d793 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++
[Freeipa-devel] [freeipa PR#383][comment] Remove duplicated step from DS install
URL: https://github.com/freeipa/freeipa/pull/383 Title: #383: Remove duplicated step from DS install stlaz commented: """ The tests passed, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/383#issuecomment-271622092 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#383][+ack] Remove duplicated step from DS install
URL: https://github.com/freeipa/freeipa/pull/383 Title: #383: Remove duplicated step from DS install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#385][opened] Generate sha256 ssh pubkey fingerprints for hosts
URL: https://github.com/freeipa/freeipa/pull/385 Author: stlaz Title: #385: Generate sha256 ssh pubkey fingerprints for hosts Action: opened PR body: """ Replace md5 with sha256 for host ssh pubkey fingerprints. MD5 is disabled in FIPS mode, newer versions of OpenSSH print SHA256 public key fingeprint anyway. https://fedorahosted.org/freeipa/ticket/5695 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/385/head:pr385 git checkout pr385 From 9863d201ca2bb116adfe57e4a83527d663389a57 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Mon, 12 Dec 2016 16:59:48 +0100 Subject: [PATCH] Generate sha256 ssh pubkey fingerprints for hosts Replace md5 with sha256 for host ssh pubkey fingerprints https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/util.py | 2 +- ipapython/ssh.py | 9 + ipatests/test_xmlrpc/test_host_plugin.py | 2 +- ipatests/test_xmlrpc/test_idviews_plugin.py | 2 +- ipatests/test_xmlrpc/test_stageuser_plugin.py| 2 +- ipatests/test_xmlrpc/test_user_plugin.py | 2 +- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 2 +- 7 files changed, 11 insertions(+), 10 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index 1c00cd7..81c0e9e 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -301,7 +301,7 @@ def convert_sshpubkey_post(entry_attrs): except (ValueError, UnicodeDecodeError): continue -fp = pubkey.fingerprint_hex_md5() +fp = pubkey.fingerprint_hex_sha256() comment = pubkey.comment() if comment: fp = u'%s %s' % (fp, comment) diff --git a/ipapython/ssh.py b/ipapython/ssh.py index c76cf51..1e72dd5 100644 --- a/ipapython/ssh.py +++ b/ipapython/ssh.py @@ -190,10 +190,11 @@ def openssh(self): return out -def fingerprint_hex_md5(self): -fp = md5(self._key).hexdigest().upper() -fp = u':'.join([fp[j:j+2] for j in range(0, len(fp), 2)]) -return fp +def fingerprint_hex_sha256(self): +# OpenSSH trims the trailing '=' of base64 sha256 FP representation +# Using unicode argument converts the result to unicode object +fp = base64.b64encode(sha256(self._key).digest()).rstrip(u'=') +return 'SHA256:{fp}'.format(fp=fp) def _fingerprint_dns(self, fpfunc, fptype): if self._keytype == 'ssh-rsa': diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index b36c6b8..35a8401 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -84,7 +84,7 @@ ipv6_fromip_ptr_dn = DN(('idnsname', ipv6_fromip_ptr), revipv6zone_dn) sshpubkey = u'ssh-rsa B3NzaC1yc2EDAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test' -sshpubkeyfp = u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)' +sshpubkeyfp = u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE public key test (ssh-rsa)' user1 = u'tuser1' user2 = u'tuser2' diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py index b1bb5ab..13e8862 100644 --- a/ipatests/test_xmlrpc/test_idviews_plugin.py +++ b/ipatests/test_xmlrpc/test_idviews_plugin.py @@ -66,7 +66,7 @@ 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py index 4a859e8..89ffc1a 100644 --- a/ipatests/test_xmlrpc/test_stageuser_plugin.py +++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py @@ -40,7 +40,7 @@ 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') options_def = OrderedDict([ diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 7508578..8f1ff38 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -55,7 +55,7 @@
[Freeipa-devel] [freeipa PR#373][synchronized] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Author: tjaalton Title: #373: ipaplatform: Add Debian platform module. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/373/head:pr373 git checkout pr373 From 3bce58353c8247ad5b920225b01ce96de79f4b10 Mon Sep 17 00:00:00 2001 From: Timo AaltonenDate: Thu, 5 Jan 2017 12:41:08 +0200 Subject: [PATCH] ipaplatform: Add Debian platform module. v2: - use redhat_services.redhat_system_units.copy - don't use wildcard imports - add some empty lines to make pep8 happy v3: - make parse_ipa_version static v4: - make more methods static --- ipaplatform/base/tasks.py | 3 +- ipaplatform/debian/__init__.py | 7 ++ ipaplatform/debian/constants.py | 25 + ipaplatform/debian/paths.py | 98 ipaplatform/debian/services.py | 196 ipaplatform/debian/tasks.py | 51 +++ ipaplatform/setup.py| 1 + 7 files changed, 380 insertions(+), 1 deletion(-) create mode 100644 ipaplatform/debian/__init__.py create mode 100644 ipaplatform/debian/constants.py create mode 100644 ipaplatform/debian/paths.py create mode 100644 ipaplatform/debian/services.py create mode 100644 ipaplatform/debian/tasks.py diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 702da6b..8cf6fde 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -227,7 +227,8 @@ def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, co else: log.debug('user %s exists', name) -def parse_ipa_version(self, version): +@staticmethod +def parse_ipa_version(version): """ :param version: textual version :return: object implementing proper __cmp__ method for version compare diff --git a/ipaplatform/debian/__init__.py b/ipaplatform/debian/__init__.py new file mode 100644 index 000..6305270 --- /dev/null +++ b/ipaplatform/debian/__init__.py @@ -0,0 +1,7 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +""" +This module contains Debian specific platform files. +""" diff --git a/ipaplatform/debian/constants.py b/ipaplatform/debian/constants.py new file mode 100644 index 000..1edcb5a --- /dev/null +++ b/ipaplatform/debian/constants.py @@ -0,0 +1,25 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +''' +This Debian family platform module exports platform dependant constants. +''' + +# Fallback to default path definitions +from ipaplatform.base.constants import BaseConstantsNamespace + + +class DebianConstantsNamespace(BaseConstantsNamespace): +HTTPD_USER = "www-data" +NAMED_USER = "bind" +NAMED_GROUP = "bind" +# ntpd init variable used for daemon options +NTPD_OPTS_VAR = "NTPD_OPTS" +# quote used for daemon options +NTPD_OPTS_QUOTE = "\'" +ODS_USER = "opendnssec" +ODS_GROUP = "opendnssec" +SECURE_NFS_VAR = "NEED_GSSD" + +constants = DebianConstantsNamespace() diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py new file mode 100644 index 000..8bc6684 --- /dev/null +++ b/ipaplatform/debian/paths.py @@ -0,0 +1,98 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +""" +This Debian base platform module exports default filesystem paths as common +in Debian-based systems. +""" + +# Fallback to default path definitions +from ipaplatform.base.paths import BasePathNamespace +import sysconfig + +MULTIARCH = sysconfig.get_config_var('MULTIARCH') + +class DebianPathNamespace(BasePathNamespace): +BIN_HOSTNAMECTL = "/usr/bin/hostnamectl" +AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf" +ETC_HTTPD_DIR = "/etc/apache2" +HTTPD_ALIAS_DIR = "/etc/apache2/nssdb" +ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc" +ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt" +HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/" +HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf" +HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf" +HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf" +HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf" +HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf" +IPA_KEYTAB = "/etc/apache2/ipa.keytab" +HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf" +NAMED_CONF = "/etc/bind/named.conf" +NAMED_VAR_DIR = "/var/cache/bind" +NAMED_KEYTAB = "/etc/bind/named.keytab" +NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones" +NAMED_ROOT_KEY = "/etc/bind/bind.keys" +NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys" +NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic" +OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf" +ETC_DEBIAN_VERSION = "/etc/debian_version" +IPA_P11_KIT =
[Freeipa-devel] [freeipa PR#373][synchronized] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Author: tjaalton Title: #373: ipaplatform: Add Debian platform module. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/373/head:pr373 git checkout pr373 From 394f36acdd897dae25a5554c71cbdfc3d76cb4d0 Mon Sep 17 00:00:00 2001 From: Timo AaltonenDate: Thu, 5 Jan 2017 12:41:08 +0200 Subject: [PATCH] ipaplatform: Add Debian platform module. v2: - use redhat_services.redhat_system_units.copy - don't use wildcard imports - add some empty lines to make pep8 happy v3: - make parse_ipa_version static --- ipaplatform/base/tasks.py | 3 +- ipaplatform/debian/__init__.py | 7 ++ ipaplatform/debian/constants.py | 25 ++ ipaplatform/debian/paths.py | 98 + ipaplatform/debian/services.py | 185 ipaplatform/debian/tasks.py | 46 ++ ipaplatform/setup.py| 1 + 7 files changed, 364 insertions(+), 1 deletion(-) create mode 100644 ipaplatform/debian/__init__.py create mode 100644 ipaplatform/debian/constants.py create mode 100644 ipaplatform/debian/paths.py create mode 100644 ipaplatform/debian/services.py create mode 100644 ipaplatform/debian/tasks.py diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 702da6b..8cf6fde 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -227,7 +227,8 @@ def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, co else: log.debug('user %s exists', name) -def parse_ipa_version(self, version): +@staticmethod +def parse_ipa_version(version): """ :param version: textual version :return: object implementing proper __cmp__ method for version compare diff --git a/ipaplatform/debian/__init__.py b/ipaplatform/debian/__init__.py new file mode 100644 index 000..6305270 --- /dev/null +++ b/ipaplatform/debian/__init__.py @@ -0,0 +1,7 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +""" +This module contains Debian specific platform files. +""" diff --git a/ipaplatform/debian/constants.py b/ipaplatform/debian/constants.py new file mode 100644 index 000..1edcb5a --- /dev/null +++ b/ipaplatform/debian/constants.py @@ -0,0 +1,25 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +''' +This Debian family platform module exports platform dependant constants. +''' + +# Fallback to default path definitions +from ipaplatform.base.constants import BaseConstantsNamespace + + +class DebianConstantsNamespace(BaseConstantsNamespace): +HTTPD_USER = "www-data" +NAMED_USER = "bind" +NAMED_GROUP = "bind" +# ntpd init variable used for daemon options +NTPD_OPTS_VAR = "NTPD_OPTS" +# quote used for daemon options +NTPD_OPTS_QUOTE = "\'" +ODS_USER = "opendnssec" +ODS_GROUP = "opendnssec" +SECURE_NFS_VAR = "NEED_GSSD" + +constants = DebianConstantsNamespace() diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py new file mode 100644 index 000..a3fa02f --- /dev/null +++ b/ipaplatform/debian/paths.py @@ -0,0 +1,98 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +""" +This Debian base platform module exports default filesystem paths as common +in Debian-based systems. +""" + +# Fallback to default path definitions +from ipaplatform.base.paths import BasePathNamespace +import sysconfig + +MULTIARCH = sysconfig.get_config_var('MULTIARCH') + +class DebianPathNamespace(BasePathNamespace): +BIN_HOSTNAMECTL = "/usr/bin/hostnamectl" +AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf" +ETC_HTTPD_DIR = "/etc/apache2" +HTTPD_ALIAS_DIR = "/etc/apache2/nssdb" +ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc" +ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt" +HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/" +HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf" +HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf" +HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf" +HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf" +HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf" +IPA_KEYTAB = "/etc/apache2/ipa.keytab" +HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf" +NAMED_CONF = "/etc/bind/named.conf" +NAMED_VAR_DIR = "/var/cache/bind" +NAMED_KEYTAB = "/etc/bind/named.keytab" +NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones" +NAMED_ROOT_KEY = "/etc/bind/bind.keys" +NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys" +NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic" +OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf" +ETC_DEBIAN_VERSION = "/etc/debian_version" +IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt" +
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From 72343881600556e394923489643029781474bd93 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 ++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 -- ipalib/util.py | 95 + 4 files changed, 113 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() +ca_certfile = context.ca_certfile -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self.dbdir=dbdir +conn = IPAHTTPSConnection( +host, 443,
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ In the last update I added SSLv2 support in IPAHTTPSConnection for backward compatibility (https://goo.gl/images/gqh2D9). I also removed the Fedora crypto policies ciphers as we are not supporting that right now and if we did, we should do that on server as well. There would perhaps be a ticket required. Also added a ticket to "Move RA agent certificate file export to a different location" as it fixes an issue with missing /etc/httpd/alias/kra-agent.pem as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-271560505 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From 6038830d9489cdfde4e7ac700a93c0fb2e99c7aa Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 ++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 -- ipalib/util.py | 95 + 4 files changed, 113 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() +ca_certfile = context.ca_certfile -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self.dbdir=dbdir +conn = IPAHTTPSConnection( +host, 443,
[Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245 Title: #245: Allow full customisability of IPA CA subject DN HonzaCholasta commented: """ * `--subject-base` and `--ca-subject` are not validated in `ipa-ca-install`. * Please squash "{ds,ca}instance: rename 'subject' to 'ca_subject'" into "Allow full customisability of IPA CA subject DN". * Please use the correct ticket URL in "Add sanity checks for use of --ca-subject and --subject-base". """ See the full comment at https://github.com/freeipa/freeipa/pull/245#issuecomment-271536923 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#381][comment] disable hostname canonicalization by Kerberos library
URL: https://github.com/freeipa/freeipa/pull/381 Title: #381: disable hostname canonicalization by Kerberos library tiran commented: """ One Travis job was failing, I restarted it. """ See the full comment at https://github.com/freeipa/freeipa/pull/381#issuecomment-271534967 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication
Hi Fraser, I have some rather inane comments. I guess Jan cholasta will do a more thorough review of your design. See below: On 01/06/2017 09:08 AM, Fraser Tweedale wrote: Hi comrades, I have written up the high-level details of the FreeIPA->Dogtag GSS-API authentication design. The goal is improve security by removing an egregious privilege separation violation: the RA Agent cert. There is a fair bit of work still to do on the Dogtag side but things are shaping up there and it's time to work out the IPA aspects. The design is at: http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication first of all, you link a internal document from publicly available design page. you should prepare a publicly visible version of the Dogtag-side design and link that. It would also be nice to have a high-level graphical representation of the proposed CSR processing workflow. I think you can re-use the one that is in the Dogtag part, omit the Dogtag internals and add IPA-specific parts. Right now, I need feedback about the Domain Level aspects: whether it is the right approach, whether there are mechanisms to perform update steps (specifically: LDAP updates and/or api calls) alongside a DL bump, or if there aren't, how to deal with that (implement such a mechanism, make admins do extra steps, ???). Is the DL bump really necessary? Are you sure we really can not just update the profile configuration and let older Dogtag installation handle it gracefully? IIRC we have done some profile inclusion work in 4.2 development and on and never really bothered about older Dogtag understanding them. Anyway I guess we can call `certprofile-import' to load ExternalProcessConstraint-enabled profile upon setting domain level to 2, we just have to know where on the FS it is located. Of course, any other general or specific feedback is welcome. Thanks, Fraser So if I understand correctly there will be no change in CA ACL management interface and only the code which evaluates them will be factored out into 'ipa-pki-validate-cert-request' command? Also, wouldn't it simpler if the CA ACL evaluation was delegated to a separate API command instead? ExternalProcessConstraint would then only ask IPA JSON api and process the response. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code