[Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys

Martin Basti mbasti at redhat.com
Wed Aug 3 17:18:44 UTC 2016 


On 02.08.2016 20:02, Christian Heimes wrote:
> On 2016-07-19 17:03, Martin Basti wrote:
>>
>> On 12.07.2016 16:45, Christian Heimes wrote:
>>> Custodia's server.keys file contain the private RSA keys for encrypting
>>> and signing Custodia messages. The file was created with permission 644
>>> and is only secured by permission 700 of the directory
>>> /etc/ipa/custodia. The installer and upgrader ensure that the file
>>> has 600.
>>>
>>> The server.keys file and all keys are now removed when during
>>> uninstallation of a server, too.
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1353936
>>> https://fedorahosted.org/freeipa/ticket/6015
>>> https://fedorahosted.org/freeipa/ticket/6056
>>>
>>>
>> NACK
>>
>> ipa-server-install --uninstall doesn't work
> I fixed it by splitting up uninstallation into two parts:
>
> 1) the server_del plugin takes care of the LDAP entries
> 2) CustodiaInstance.uninstall() removes the local key file
>

Hello,

1)
Is expected that after removing replica, ipa server-del 
vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in LDAP on 
master (vm-058-107)?

# sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc, 
abc.idm.lab.en
  g.brq.redhat.com
dn: 
cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
  abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
objectClass: nsContainer
objectClass: ipaKeyPolicy
objectClass: ipaPublicKeyObject
objectClass: groupOfPrincipals
objectClass: top
cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com
ipaKeyUsage: digitalSignature
memberPrincipal: 
host/vm-012.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BR
  Q.REDHAT.COM
ipaPublicKey:: 
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD
  cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31
  hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq
  3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd
  g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk
  DR8V2H1rJ0AiVPQIDAQAB

# enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc, 
abc.idm.lab.en
  g.brq.redhat.com
dn: 
cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
  abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
objectClass: nsContainer
objectClass: ipaKeyPolicy
objectClass: ipaPublicKeyObject
objectClass: groupOfPrincipals
objectClass: top
cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com
ipaKeyUsage: dataEncipherment
memberPrincipal: 
host/vm-012.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BR
  Q.REDHAT.COM
ipaPublicKey:: 
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO
  eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0
  ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd
  Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r
  j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz
  TIp7oPmFWMG/q1QIDAQAB

Also see them on replica as well (which was removed from topology)
I did not find any errors in http log

2)
I tried hard, but I cannot see relation between 
https://fedorahosted.org/freeipa/ticket/6015 and 
https://fedorahosted.org/freeipa/ticket/6056
IMO it should be separated into two patches, to make easier backports, 
patching and make life easier in future with git blame

There should not be a BZ, only upstream tickets in commit

3)
IMO ti should be 'Removing' not 'Remove', I'm not native speaker, but it 
looks more consistent with the rest of log entries

INFO Remove Custodia keys

4)
the same for
root_logger.info("Secure server.keys mode"), IMHO it should be 'Securing'

5)
What is the purpose of remove_server_keys() in KEM.py  . I see usage 
only in manual testing. Can it be reused in server.py ? Because it looks 
like duplicated code for me, but correct me if I'm wrong.

Martin^2



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160803/46dfcc6b/attachment.htm>

More information about the Freeipa-devel mailing list