[Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys
Martin Basti
mbasti at redhat.com
Wed Aug 3 18:21:58 UTC 2016
On 03.08.2016 19:18, Martin Basti wrote:
>
>
>
> On 02.08.2016 20:02, Christian Heimes wrote:
>> On 2016-07-19 17:03, Martin Basti wrote:
>>> On 12.07.2016 16:45, Christian Heimes wrote:
>>>> Custodia's server.keys file contain the private RSA keys for encrypting
>>>> and signing Custodia messages. The file was created with permission 644
>>>> and is only secured by permission 700 of the directory
>>>> /etc/ipa/custodia. The installer and upgrader ensure that the file
>>>> has 600.
>>>>
>>>> The server.keys file and all keys are now removed when during
>>>> uninstallation of a server, too.
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1353936
>>>> https://fedorahosted.org/freeipa/ticket/6015
>>>> https://fedorahosted.org/freeipa/ticket/6056
>>>>
>>>>
>>> NACK
>>>
>>> ipa-server-install --uninstall doesn't work
>> I fixed it by splitting up uninstallation into two parts:
>>
>> 1) the server_del plugin takes care of the LDAP entries
>> 2) CustodiaInstance.uninstall() removes the local key file
>>
>
> Hello,
>
> 1)
> Is expected that after removing replica, ipa server-del
> vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in LDAP on
> master (vm-058-107)?
>
> # sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
> abc.idm.lab.en
> g.brq.redhat.com
> dn:
> cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
> abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
> objectClass: nsContainer
> objectClass: ipaKeyPolicy
> objectClass: ipaPublicKeyObject
> objectClass: groupOfPrincipals
> objectClass: top
> cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com
> ipaKeyUsage: digitalSignature
> memberPrincipal:
> host/vm-012.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BR
> Q.REDHAT.COM
> ipaPublicKey::
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD
> cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31
> hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq
> 3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd
> g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk
> DR8V2H1rJ0AiVPQIDAQAB
>
> # enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
> abc.idm.lab.en
> g.brq.redhat.com
> dn:
> cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
> abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
> objectClass: nsContainer
> objectClass: ipaKeyPolicy
> objectClass: ipaPublicKeyObject
> objectClass: groupOfPrincipals
> objectClass: top
> cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com
> ipaKeyUsage: dataEncipherment
> memberPrincipal:
> host/vm-012.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BR
> Q.REDHAT.COM
> ipaPublicKey::
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO
> eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0
> ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd
> Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r
> j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz
> TIp7oPmFWMG/q1QIDAQAB
>
> Also see them on replica as well (which was removed from topology)
> I did not find any errors in http log
>
> 2)
> I tried hard, but I cannot see relation between
> https://fedorahosted.org/freeipa/ticket/6015 and
> https://fedorahosted.org/freeipa/ticket/6056
> IMO it should be separated into two patches, to make easier backports,
> patching and make life easier in future with git blame
>
> There should not be a BZ, only upstream tickets in commit
>
> 3)
> IMO ti should be 'Removing' not 'Remove', I'm not native speaker, but
> it looks more consistent with the rest of log entries
>
> INFO Remove Custodia keys
>
> 4)
> the same for
> root_logger.info("Secure server.keys mode"), IMHO it should be 'Securing'
>
> 5)
> What is the purpose of remove_server_keys() in KEM.py . I see usage
> only in manual testing. Can it be reused in server.py ? Because it
> looks like duplicated code for me, but correct me if I'm wrong.
>
> Martin^2
>
>
>
>
>
I received this when I tried to uninstall already uninstalled replica
(calling ipa-replica-install -U --uninstall twice)
2016-08-03T17:45:13Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-08-03T17:45:13Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-08-03T17:45:13Z INFO Remove Custodia keys
2016-08-03T17:45:13Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 91, in _handle_exception
super(Continuous, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 71, in _uninstall
for nothing in self._uninstaller(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1375, in main
uninstall(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 266, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1076, in uninstall
custodiainstance.CustodiaInstance().uninstall()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 88, in uninstall
self.__remove_keys()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 72, in __remove_keys
keystore = IPAKEMKeys({'server_keys': self.server_keys})
File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py",
line 193, in __init__
self.host = conf.get('global', 'host')
File "/usr/lib64/python2.7/ConfigParser.py", line 607, in get
raise NoSectionError(section)
NoSectionError: No section: 'global'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160803/125f6516/attachment.htm>
More information about the Freeipa-devel
mailing list