It appears a fix was generated to remove possible interpreted characters in random OTP generation for host-add function:
https://pagure.io/freeipa/c/8ce7330c5330e45c59c70d984a7fed526e85c58c
I am getting unwanted characters in random OTP from time to time, specifically "&", which causes freeipa realm proxy builds to fail in Foreman. It looks like the fix above was removed around the 4.4.0 timeframe.
I am getting unwanted characters in the randomly generated password occasionally which breaks builds in Foreman.
Expect not to see excluded characters which was the behavior after 3.0.0 and before 4.4.0.(ish)
ipa-server-4.5.0-22.el7.centos.x86_64 ipa-client-4.5.0-22.el7.centos.x86_64 389-ds-base-1.3.6.1-24.el7_4.x86_64 pki-ca-10.4.1-17.el7_4.noarch krb5-server-1.15.1-8.el7.x86_64
I have checked for possible ways to limit random OTP characters via the API and I can't seem to locate any way to do it. That doesn't mean there isn't though.
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
Actually it was the 4.5.0 release where I think the regression occurred, not 4.4.0,
I was able to edit /usr/lib/python2.7/site-packages/ipaserver/plugins/host.py with the following on line 686:
686 entropy_bits=TMP_PWD_ENTROPY_BITS, special=None)
This fixes the issue for me but it doesn't add any special characters at all to the random password
Could also just edit /usr/lib/python2.7/site-packages/ipapython/ipautil.py and limit the type of special characters it seems on line 834:
828 Example: 829 TokenGenerator(uppercase=3, lowercase=3, digits=0, special=None) 830 831 At least 3 upper and 3 lower case ASCII chars, may contain digits, 832 no special chars. 833 """ 834 special_chars = '!$%&()*+,-./:;<>?@[]^_{|}~' 835 pwd_charsets = { 836 'uppercase': { 837 'chars': string.ascii_uppercase, 838 'entropy': math.log(len(string.ascii_uppercase), 2) 839 }, 840 'lowercase': {
We are using Foreman with EC2 and the freeipa realm proxy
Here is a reference to the community template for freeipa client installation:
https://github.com/theforeman/community-templates/blob/develop/provisioning_templates/snippet/freeipa_register.erb
The issue for us is that we are using AWS EC2 instances and there is an open bug with Foreman on that:
http://projects.theforeman.org/issues/17292
To get around that, I have the following in the ipa-client-install section of that snippet:
# One-time password will be requested at install time. Otherwise, $HOST[OTP] is used as a placeholder value. #/usr/sbin/ipa-client-install -w '<%= @host.otp || "$HOST[OTP]" %>' --realm=<%= @host.realm %> -U $freeipa_mkhomedir $freeipa_opts $freeipa_server $freeipa_ssh IPAOTP="<%= @host.otp %>" # this line isnt detemplated correctly unless we get it from curl curl <%= foreman_url("user_data")%> | grep ^IPAOTP > /var/log/otp.log . /var/log/otp.log # snip /usr/sbin/ipa-client-install -w ${IPAOTP} $freeipa_mkhomedir $freeipa_opts --no-dns-sshfp --enable-dns-updates -f -U
The random OTP needs to be quoted in two places here, the IPAOTP variable declaration and the ipa-client-install invocation. I have added quotes to the latter and I have tested several builds until I saw a "&" character in the /var/log/otp.log. It seems that fixed the issue.
Metadata Update from @johnclarson: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Re-opening. Requiring integrators to quote the password is a way to work around this but it is a change of behavior in IPA. I'd like to see some further discussion.
Metadata Update from @rcritten: - Issue status updated to: Open (was: Closed)
It seems a variable was added in 4-5-0 for entropy bits and I assume the higher that is, the harder it is to crack the password. Would a higher entropy value for the host_add OTP help mitigate security concerns for the lack of special characters?
Right, so setting special=None will generate a longer password to compensate. I'm leaning towards your suggestion of special=None for the host OTP.
PR: https://github.com/freeipa/freeipa/pull/1505
I guess assign this to me until a decision is made? Not sure what the protocol is.
Sure go ahead and take it. I think we need a discussion on freeipa-devel list about this, can you start it?
I am sorry I have looked all over and I can't see a way to "take" this issue.
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.6.4
Metadata Update from @rcritten: - Issue assigned to johnclarson
master:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-6:
Login to comment on this ticket.