[Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys
Martin Basti
mbasti at redhat.com
Wed Aug 3 17:18:44 UTC 2016
On 02.08.2016 20:02, Christian Heimes wrote:
> On 2016-07-19 17:03, Martin Basti wrote:
>>
>> On 12.07.2016 16:45, Christian Heimes wrote:
>>> Custodia's server.keys file contain the private RSA keys for encrypting
>>> and signing Custodia messages. The file was created with permission 644
>>> and is only secured by permission 700 of the directory
>>> /etc/ipa/custodia. The installer and upgrader ensure that the file
>>> has 600.
>>>
>>> The server.keys file and all keys are now removed when during
>>> uninstallation of a server, too.
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1353936
>>> https://fedorahosted.org/freeipa/ticket/6015
>>> https://fedorahosted.org/freeipa/ticket/6056
>>>
>>>
>> NACK
>>
>> ipa-server-install --uninstall doesn't work
> I fixed it by splitting up uninstallation into two parts:
>
> 1) the server_del plugin takes care of the LDAP entries
> 2) CustodiaInstance.uninstall() removes the local key file
>
Hello,
1)
Is expected that after removing replica, ipa server-del
vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in LDAP on
master (vm-058-107)?
# sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
abc.idm.lab.en
g.brq.redhat.com
dn:
cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
objectClass: nsContainer
objectClass: ipaKeyPolicy
objectClass: ipaPublicKeyObject
objectClass: groupOfPrincipals
objectClass: top
cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com
ipaKeyUsage: digitalSignature
memberPrincipal:
host/vm-012.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BR
Q.REDHAT.COM
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD
cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31
hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq
3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd
g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk
DR8V2H1rJ0AiVPQIDAQAB
# enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
abc.idm.lab.en
g.brq.redhat.com
dn:
cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
objectClass: nsContainer
objectClass: ipaKeyPolicy
objectClass: ipaPublicKeyObject
objectClass: groupOfPrincipals
objectClass: top
cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com
ipaKeyUsage: dataEncipherment
memberPrincipal:
host/vm-012.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BR
Q.REDHAT.COM
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO
eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0
ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd
Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r
j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz
TIp7oPmFWMG/q1QIDAQAB
Also see them on replica as well (which was removed from topology)
I did not find any errors in http log
2)
I tried hard, but I cannot see relation between
https://fedorahosted.org/freeipa/ticket/6015 and
https://fedorahosted.org/freeipa/ticket/6056
IMO it should be separated into two patches, to make easier backports,
patching and make life easier in future with git blame
There should not be a BZ, only upstream tickets in commit
3)
IMO ti should be 'Removing' not 'Remove', I'm not native speaker, but it
looks more consistent with the rest of log entries
INFO Remove Custodia keys
4)
the same for
root_logger.info("Secure server.keys mode"), IMHO it should be 'Securing'
5)
What is the purpose of remove_server_keys() in KEM.py . I see usage
only in manual testing. Can it be reused in server.py ? Because it looks
like duplicated code for me, but correct me if I'm wrong.
Martin^2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160803/46dfcc6b/attachment.htm>
More information about the Freeipa-devel
mailing list