[Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys

Martin Basti mbasti at redhat.com
Wed Aug 3 18:21:58 UTC 2016 


On 03.08.2016 19:18, Martin Basti wrote:
>
>
>
> On 02.08.2016 20:02, Christian Heimes wrote:
>> On 2016-07-19 17:03, Martin Basti wrote:
>>> On 12.07.2016 16:45, Christian Heimes wrote:
>>>> Custodia's server.keys file contain the private RSA keys for encrypting
>>>> and signing Custodia messages. The file was created with permission 644
>>>> and is only secured by permission 700 of the directory
>>>> /etc/ipa/custodia. The installer and upgrader ensure that the file
>>>> has 600.
>>>>
>>>> The server.keys file and all keys are now removed when during
>>>> uninstallation of a server, too.
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1353936
>>>> https://fedorahosted.org/freeipa/ticket/6015
>>>> https://fedorahosted.org/freeipa/ticket/6056
>>>>
>>>>
>>> NACK
>>>
>>> ipa-server-install --uninstall doesn't work
>> I fixed it by splitting up uninstallation into two parts:
>>
>> 1) the server_del plugin takes care of the LDAP entries
>> 2) CustodiaInstance.uninstall() removes the local key file
>>
>
> Hello,
>
> 1)
> Is expected that after removing replica, ipa server-del 
> vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in LDAP on 
> master (vm-058-107)?
>
> # sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc, 
> abc.idm.lab.en
>  g.brq.redhat.com
> dn: 
> cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
>  abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
> objectClass: nsContainer
> objectClass: ipaKeyPolicy
> objectClass: ipaPublicKeyObject
> objectClass: groupOfPrincipals
> objectClass: top
> cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com
> ipaKeyUsage: digitalSignature
> memberPrincipal: 
> host/vm-012.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BR
>  Q.REDHAT.COM
> ipaPublicKey:: 
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD
>  cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31
>  hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq
>  3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd
>  g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk
>  DR8V2H1rJ0AiVPQIDAQAB
>
> # enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc, 
> abc.idm.lab.en
>  g.brq.redhat.com
> dn: 
> cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
>  abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
> objectClass: nsContainer
> objectClass: ipaKeyPolicy
> objectClass: ipaPublicKeyObject
> objectClass: groupOfPrincipals
> objectClass: top
> cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com
> ipaKeyUsage: dataEncipherment
> memberPrincipal: 
> host/vm-012.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BR
>  Q.REDHAT.COM
> ipaPublicKey:: 
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO
>  eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0
>  ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd
>  Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r
>  j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz
>  TIp7oPmFWMG/q1QIDAQAB
>
> Also see them on replica as well (which was removed from topology)
> I did not find any errors in http log
>
> 2)
> I tried hard, but I cannot see relation between 
> https://fedorahosted.org/freeipa/ticket/6015 and 
> https://fedorahosted.org/freeipa/ticket/6056
> IMO it should be separated into two patches, to make easier backports, 
> patching and make life easier in future with git blame
>
> There should not be a BZ, only upstream tickets in commit
>
> 3)
> IMO ti should be 'Removing' not 'Remove', I'm not native speaker, but 
> it looks more consistent with the rest of log entries
>
> INFO Remove Custodia keys
>
> 4)
> the same for
> root_logger.info("Secure server.keys mode"), IMHO it should be 'Securing'
>
> 5)
> What is the purpose of remove_server_keys() in KEM.py  . I see usage 
> only in manual testing. Can it be reused in server.py ? Because it 
> looks like duplicated code for me, but correct me if I'm wrong.
>
> Martin^2
>
>
>
>
>

I received this when I tried to uninstall already uninstalled replica 
(calling ipa-replica-install -U --uninstall twice)

2016-08-03T17:45:13Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-08-03T17:45:13Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-08-03T17:45:13Z INFO Remove Custodia keys
2016-08-03T17:45:13Z DEBUG Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
line 91, in _handle_exception
     super(Continuous, self)._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception
     six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 446, in _handle_exception
     super(ComponentBase, self)._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception
     six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 362, in __runner
     step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 359, in <lambda>
     step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from
     six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from
     value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
line 71, in _uninstall
     for nothing in self._uninstaller(self.parent):
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 1375, in main
     uninstall(self)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 266, in decorated
     func(installer)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 1076, in uninstall
     custodiainstance.CustodiaInstance().uninstall()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
line 88, in uninstall
     self.__remove_keys()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
line 72, in __remove_keys
     keystore = IPAKEMKeys({'server_keys': self.server_keys})
   File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", 
line 193, in __init__
     self.host = conf.get('global', 'host')
   File "/usr/lib64/python2.7/ConfigParser.py", line 607, in get
     raise NoSectionError(section)
NoSectionError: No section: 'global'

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160803/125f6516/attachment.htm>

More information about the Freeipa-devel mailing list