Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1524566
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
If a RHEL/CentOS machine is rebooted with fips=1 on the command line, then sss_obfuscate does not work:
sss_obfuscate -d win.trust.test Enter password: Re-enter password: (Thu Jan 11 10:27:25:883459 2018) [sssd] [generate_random_key] (0x0020): Failure to extract key value (err -8192) (Thu Jan 11 10:27:25:883498 2018) [sssd] [nss_ctx_init] (0x0020): Could not generate encryption key (Thu Jan 11 10:27:25:883508 2018) [sssd] [sss_password_encrypt] (0x0020): Cannot initialize NSS context Traceback (most recent call last): File "/usr/sbin/sss_obfuscate", line 122, in <module> ret = main() File "/usr/sbin/sss_obfuscate", line 82, in main obfpwd = obfobj.encrypt(password, obfobj.AES_256) IOError: [Errno 5] Input/output error
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1524566
Hi.
To meet government RMF requirements, we need to get this fixed. Is it possible to send us a patch to fix this issue? We would rather not have to wait until the next RHEL 7 release.
Thanks, Bruce
@bkogami, patch is not ready.
I do not know a lot about "RMF requirements". But is there a reason why you need to use obfuscated password? The difference between plaintext and obfuscated is minimal and /etc/sssd/sssd.conf must have permission 0600.
/etc/sssd/sssd.conf
0600
Hi Lukas,
Thanks for your response. As government contractors, we are required by DoD follow certain security rules. Having plain text passwords in files (even with 600) is a security violation and could possiblly jeopardize the work that we do and future contracts. Here's the description of the rule. Vulnerability Discussion: Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.
So, without this fix, we would not be able to implement LDAP with FIPS enabled.
Bruce
On Jan 25, 2018 9:06 AM, "Lukas Slebodnik" pagure@pagure.io wrote:
lslebodn added a new comment to an issue you are following: `` @bkogami, patch is not ready. I do not know a lot about "RMF requirements". But is there a reason why you need to use obfuscated password? The difference between plaintext and obfuscated is minimal and /etc/sssd/sssd.conf must have permission 0600. `` To reply, visit the link below or just reply to this email https://pagure.io/SSSD/sssd/issue/3614
lslebodn added a new comment to an issue you are following: `` @bkogami, patch is not ready.
I do not know a lot about "RMF requirements". But is there a reason why you need to use obfuscated password? The difference between plaintext and obfuscated is minimal and /etc/sssd/sssd.conf must have permission 0600. ``
To reply, visit the link below or just reply to this email https://pagure.io/SSSD/sssd/issue/3614
https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon Virus-free. www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link <#m_5933098079860704159_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.2
Metadata Update from @jhrozek: - Issue assigned to jhrozek
Metadata Update from @jhrozek: - Issue priority set to: major
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.3 (was: SSSD 1.16.2)
Since we are near the 1.16.2 release and this ticket has no PR yet, it will slip into 1.16.3.
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.4 (was: SSSD 1.16.3)
This still can be backported to 1.16, but I'm moving all tickets into the 2.x milestones in general
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.2 (was: SSSD 1.16.4)
I know this comment is very old, but for the sake of history:
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.
"Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text." -- that's exactly the case with sss_obfuscate. If one wants really secure solution it is better to follow advice from man page: "Using better authentication mechanisms such as client side certificates or GSSAPI is strongly advised."
We're not going to fix this upstream.
In upstream we prefer OpenSSL for crypto these days. RHEL-7 is the only distribution that still uses NSS and reworking the obfuscation code to be FIPS-compliant would be too much work for too little gain.
The bug should be fixed in RHEL-7 only with a RHEL-7 specific patch.
Metadata Update from @jhrozek: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4635
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.