[Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys

Martin Basti mbasti at redhat.com
Tue Aug 9 11:07:14 UTC 2016 


On 03.08.2016 20:21, Martin Basti wrote:
>
>
>
> On 03.08.2016 19:18, Martin Basti wrote:
>>
>>
>>
>> On 02.08.2016 20:02, Christian Heimes wrote:
>>> On 2016-07-19 17:03, Martin Basti wrote:
>>>> On 12.07.2016 16:45, Christian Heimes wrote:
>>>>> Custodia's server.keys file contain the private RSA keys for encrypting
>>>>> and signing Custodia messages. The file was created with permission 644
>>>>> and is only secured by permission 700 of the directory
>>>>> /etc/ipa/custodia. The installer and upgrader ensure that the file
>>>>> has 600.
>>>>>
>>>>> The server.keys file and all keys are now removed when during
>>>>> uninstallation of a server, too.
>>>>>
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1353936
>>>>> https://fedorahosted.org/freeipa/ticket/6015
>>>>> https://fedorahosted.org/freeipa/ticket/6056
>>>>>
>>>>>
>>>> NACK
>>>>
>>>> ipa-server-install --uninstall doesn't work
>>> I fixed it by splitting up uninstallation into two parts:
>>>
>>> 1) the server_del plugin takes care of the LDAP entries
>>> 2) CustodiaInstance.uninstall() removes the local key file
>>>
>>
>> Hello,
>>
>> 1)
>> Is expected that after removing replica, ipa server-del 
>> vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in LDAP 
>> on master (vm-058-107)?
>>
>> # sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc, 
>> abc.idm.lab.en
>>  g.brq.redhat.com
>> dn: 
>> cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
>>  abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
>> objectClass: nsContainer
>> objectClass: ipaKeyPolicy
>> objectClass: ipaPublicKeyObject
>> objectClass: groupOfPrincipals
>> objectClass: top
>> cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com
>> ipaKeyUsage: digitalSignature
>> memberPrincipal: 
>> host/vm-012.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BR
>>  Q.REDHAT.COM
>> ipaPublicKey:: 
>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD
>>  cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31
>>  hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq
>>  3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd
>>  g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk
>>  DR8V2H1rJ0AiVPQIDAQAB
>>
>> # enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc, 
>> abc.idm.lab.en
>>  g.brq.redhat.com
>> dn: 
>> cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
>>  abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
>> objectClass: nsContainer
>> objectClass: ipaKeyPolicy
>> objectClass: ipaPublicKeyObject
>> objectClass: groupOfPrincipals
>> objectClass: top
>> cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com
>> ipaKeyUsage: dataEncipherment
>> memberPrincipal: 
>> host/vm-012.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BR
>>  Q.REDHAT.COM
>> ipaPublicKey:: 
>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO
>>  eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0
>>  ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd
>>  Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r
>>  j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz
>>  TIp7oPmFWMG/q1QIDAQAB
>>
>> Also see them on replica as well (which was removed from topology)
>> I did not find any errors in http log
>>
>> 2)
>> I tried hard, but I cannot see relation between 
>> https://fedorahosted.org/freeipa/ticket/6015 and 
>> https://fedorahosted.org/freeipa/ticket/6056
>> IMO it should be separated into two patches, to make easier 
>> backports, patching and make life easier in future with git blame
>>
>> There should not be a BZ, only upstream tickets in commit
>>
>> 3)
>> IMO ti should be 'Removing' not 'Remove', I'm not native speaker, but 
>> it looks more consistent with the rest of log entries
>>
>> INFO Remove Custodia keys
>>
>> 4)
>> the same for
>> root_logger.info("Secure server.keys mode"), IMHO it should be 'Securing'
>>
>> 5)
>> What is the purpose of remove_server_keys() in KEM.py  . I see usage 
>> only in manual testing. Can it be reused in server.py ? Because it 
>> looks like duplicated code for me, but correct me if I'm wrong.
>>
>> Martin^2
>>
>>
>>
>>
>>
>
> I received this when I tried to uninstall already uninstalled replica 
> (calling ipa-replica-install -U --uninstall twice)
>
> 2016-08-03T17:45:13Z DEBUG Loading StateFile from 
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2016-08-03T17:45:13Z DEBUG Loading StateFile from 
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2016-08-03T17:45:13Z INFO Remove Custodia keys
> 2016-08-03T17:45:13Z DEBUG Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
> line 91, in _handle_exception
>     super(Continuous, self)._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
> line 394, in _handle_exception
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
> line 446, in _handle_exception
>     super(ComponentBase, self)._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
> line 394, in _handle_exception
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
> line 362, in __runner
>     step()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
> line 359, in <lambda>
>     step = lambda: next(self.__gen)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
> line 81, in run_generator_with_yield_from
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
> line 59, in run_generator_with_yield_from
>     value = gen.send(prev_value)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
> line 71, in _uninstall
>     for nothing in self._uninstaller(self.parent):
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
> line 1375, in main
>     uninstall(self)
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
> line 266, in decorated
>     func(installer)
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
> line 1076, in uninstall
>     custodiainstance.CustodiaInstance().uninstall()
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
> line 88, in uninstall
>     self.__remove_keys()
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
> line 72, in __remove_keys
>     keystore = IPAKEMKeys({'server_keys': self.server_keys})
>   File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", 
> line 193, in __init__
>     self.host = conf.get('global', 'host')
>   File "/usr/lib64/python2.7/ConfigParser.py", line 607, in get
>     raise NoSectionError(section)
> NoSectionError: No section: 'global'
>
>
>

Please unfollow this thread, separated patches were send in new threads.
Martin^2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160809/64df207c/attachment.htm>

More information about the Freeipa-devel mailing list