Bug 31281 - machine secret hard-coded to 8 characters (or less)
machine secret hard-coded to 8 characters (or less)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Join (univention-join)
UCS 3.1
Other Linux
: P5 normal (vote)
: UCS 3.2
Assigned To: Felix Botner
Philipp Hahn
: interim-2
: 32058 (view as bug list)
Depends on:
Blocks: 31648
  Show dependency treegraph
 
Reported: 2013-05-03 17:00 CEST by Philipp Hahn
Modified: 2013-11-19 06:42 CET (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2013-05-03 17:00:10 CEST
management/univention-ldap/10univention-ldap-server.inst:95:
      computerPassword=$(makepasswd --chars 8)
management/univention-join/univention-server-join:336:
      computerPassword="$(makepasswd --chars=8)"
base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:122:
      echo -n "$(makepasswd)" > /etc/ldap.secret
base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:123:
      echo -n "$(makepasswd)" > /etc/ldap-backup.secret
base/univention-server/server_password_change:84:
      new_password=$(makepasswd --chars 8)
base/univention-server/debian/univention-server-master.preinst:55:
      echo -n "$(makepasswd)" > /etc/ldap.secret
base/univention-server/debian/univention-server-master.preinst:61:
      echo -n "$(makepasswd)" > /etc/ldap-backup.secret


Should probably be configurable through an UCR variable.

Would probably help to unify the password generation instead of spreading the procedure over multiple packages and doing it slightly different.
Comment 1 Janek Walkenhorst univentionstaff 2013-06-05 11:11:10 CEST
Part of Bug #31648
Comment 2 Arvid Requate univentionstaff 2013-06-05 11:39:48 CEST
Complexity requirements should be configurable as well, see e.g. Bug 31649.
Comment 3 Felix Botner univentionstaff 2013-06-10 14:19:56 CEST
univention-lib:
added function create_machine_password and dependency to pwgen
added py function univention.lib.createMachinePassword()

univention-base-files:
added ucr description for machine/password/complexity and machine/password/length

univention-ssl:
added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd

univention-server:
added dependency to shell-univention-lib (>= 3.0.1-1, master, backup, slave, member) and replaced makepasswd

univention-system-setup:
added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd

univention-mail-cyrus:
added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd

univention-horde4:
added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd

univention-ldap:
added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd

univention-join:
added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd

univention-pkgdb:
added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd

univention-samba4:
added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd

univention-squid-kerberos:
added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd

univention-printquota:
added dependency to shell-univention-lib (>= 3.0.1-1) and replaced makepasswd

univention-s4-connector:
added dependency to python-univention-lib (>= 3.0.1-2) and replaced makepasswd

QA:
check the modified packages and look for any other usage of makepasswd
Comment 4 Arvid Requate univentionstaff 2013-06-10 15:13:14 CEST
Maybe we could also use --symbols (-y) for pwgen if machine/password/complexity is enabeld (Hopefully all shell scripts are fit for this..).
Comment 5 Philipp Hahn univentionstaff 2013-06-10 17:25:04 CEST
1. cite `man pwgen`: The pwgen program generates passwords which are designed to be *easily memorized by humans*.
but /etc/machine.secrets is not supposed to be entered by humans ever. So this reduces the strength of the password, which needs to be compensated by increasing the password length.

2. »echo "$(pwgen ...)"« can be simplified to just »pwgen ...«; no »echo "$(...)"« needed!
The output is also visible in the process list; see Bug #20610, Bug #20611.
Comment 6 Stefan Gohmann univentionstaff 2013-06-11 09:03:00 CEST
From a UCS 3.2 test instance:

__MSG__:Configure 98univention-samba4-dns
__STEP__:39
Configure /usr/lib/univention-install/98univention-samba4-dns.inst
Waiting for RID Pool replication: done.
/usr/share/univention-samba4/scripts/create_spn_account.sh: line 107: create_machine_password: command not found
/usr/lib/python2.6/getpass.py:83: GetPassWarning: Can not control echo on the terminal.
  passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
New Password: ERROR(<type 'exceptions.EOFError'>): uncaught exception - 
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/user.py", line 131, in run
    password = getpass("New Password: ")
  File "/usr/lib/python2.6/getpass.py", line 83, in unix_getpass
    passwd = fallback_getpass(prompt, stream)
  File "/usr/lib/python2.6/getpass.py", line 118, in fallback_getpass
    return _raw_input(prompt, stream)
  File "/usr/lib/python2.6/getpass.py", line 135, in _raw_input
    raise EOFError
Comment 7 Arvid Requate univentionstaff 2013-06-11 18:26:33 CEST
The requirements imposed by Microsoft/Samba password complexity checks must be met, see the function check_password_quality in

http://gitweb.samba.org/samba.git/?p=samba.git;a=blob;f=lib/util/genrand.c;h=3dfaf089d16c4afdf25ead27391ce3835ba4b082;hb=HEAD#l300
Comment 8 Felix Botner univentionstaff 2013-06-14 11:46:13 CEST
(In reply to Philipp Hahn from comment #5)
> 1. cite `man pwgen`: The pwgen program generates passwords which are
> designed to be *easily memorized by humans*.
> but /etc/machine.secrets is not supposed to be entered by humans ever. So
> this reduces the strength of the password, which needs to be compensated by
> increasing the password length.

we use the pwgen option "-s" as default 
-> man pwgen

 -s, --secure
              Generate  completely  random,  hard-to-memorize passwords.  
              These should only be used for machine passwords, ...

> 
> 2. »echo "$(pwgen ...)"« can be simplified to just »pwgen ...«; no »echo
> "$(...)"« needed!
> The output is also visible in the process list; see Bug #20610, Bug #20611.

OK

(In reply to Arvid Requate from comment #7)
> The requirements imposed by Microsoft/Samba password complexity checks must
> be met, see the function check_password_quality in
> 
> http://gitweb.samba.org/samba.git/?p=samba.git;a=blob;f=lib/util/genrand.c;
> h=3dfaf089d16c4afdf25ead27391ce3835ba4b082;hb=HEAD#l300

I think we have
 * Uppercase characters of European languages 
 * Lowercase characters of European languages
 * Base 10 digits
that should be enough.

The "y" option could lead to passwords with backticks and this would break at least univention-pkgdb.
Comment 9 Dirk Wiesenthal univentionstaff 2013-08-12 16:07:34 CEST
When upgrading from 3.1-1 to 3.2-0 I get a lot of

 Traceback (most recent call last):
File "", line 8, in
File "/usr/lib/pymodules/python2.6/univention/lib/__init__.py", line 38, in
from univention.lib.misc import *
ImportError: No module named misc

Server seems to be working, though.
Comment 10 Stefan Gohmann univentionstaff 2013-08-12 16:18:08 CEST
(In reply to Dirk Wiesenthal from comment #9)
> When upgrading from 3.1-1 to 3.2-0 I get a lot of
> 
>  Traceback (most recent call last):
> File "", line 8, in
> File "/usr/lib/pymodules/python2.6/univention/lib/__init__.py", line 38, in
> from univention.lib.misc import *
> ImportError: No module named misc
> 
> Server seems to be working, though.

→ Reopen.
Comment 11 Stefan Gohmann univentionstaff 2013-08-13 08:09:59 CEST
*** Bug 32058 has been marked as a duplicate of this bug. ***
Comment 12 Philipp Hahn univentionstaff 2013-08-13 08:38:17 CEST
(In reply to Stefan Gohmann from comment #11)
> *** Bug 32058 has been marked as a duplicate of this bug. ***

See that bug for the right fix.
Comment 13 Stefan Gohmann univentionstaff 2013-08-14 15:20:18 CEST
Wait until Felix is back.
Comment 14 Philipp Hahn univentionstaff 2013-08-20 17:22:07 CEST
management/univention-join/univention-server-join:33
  . /usr/share/univention-lib/all.sh
base/univention-lib/shell/all.sh:4
  . /usr/share/univention-lib/umc.sh
base/univention-lib/shell/umc.sh:35
  eval "$(ucr shell ldap/base)"

Since univention-server-join is called by the user "Administrator", which does not have "/usr/sbin/" in her "$PATH", joining a system during an PXE installation (Bug #32228) print the following message because "ucr" is not found:

* Join failed!
* Message: /usr/share/univention-lib/umc.sh: line 35: ucr: command not found
Comment 15 Felix Botner univentionstaff 2013-09-12 11:05:42 CEST
(In reply to Dirk Wiesenthal from comment #9)
> When upgrading from 3.1-1 to 3.2-0 I get a lot of
> 
>  Traceback (most recent call last):
> File "", line 8, in
> File "/usr/lib/pymodules/python2.6/univention/lib/__init__.py", line 38, in
> from univention.lib.misc import *
> ImportError: No module named misc
> 
> Server seems to be working, though.

ucs-3.2/ucs-3.2-0/base/univention-lib:
try/except ImportError for univention.lib.misc in __init__.py (Bug #31281)


(In reply to Philipp Hahn from comment #14)
> management/univention-join/univention-server-join:33
>   . /usr/share/univention-lib/all.sh
> base/univention-lib/shell/all.sh:4
>   . /usr/share/univention-lib/umc.sh
> base/univention-lib/shell/umc.sh:35
>   eval "$(ucr shell ldap/base)"
> 
> Since univention-server-join is called by the user "Administrator", which
> does not have "/usr/sbin/" in her "$PATH", joining a system during an PXE
> installation (Bug #32228) print the following message because "ucr" is not
> found:
> 
> * Join failed!
> * Message: /usr/share/univention-lib/umc.sh: line 35: ucr: command not found

ucs-3.2/ucs-3.2-0/management/univention-join:
PATH was already set to "/sbin:/usr/sbin:..." in univention-server-join but after the shell imports, fixed that.

+export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"
+
 . /usr/share/univention-lib/all.sh
 
-export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"
-
Comment 16 Philipp Hahn univentionstaff 2013-09-17 19:17:59 CEST
OK: r41267,41269-41271,41277-41279,41281,41286,41303,41397,41398,43933
OK: ChangeLog r41292,43936
OK: shell: create_machine_password()
FAIL: Python createMachinePassword
  missing dependency on pwgen

Package: shell-univention-lib
Depends: python-univention-config-registry (>= 8.0.2-1), python-univention-lib (>= 3.0.12-4), pwgen

Package: python-univention-lib
Depends: python (<< 2.7), python (>= 2.6), python-support (>= 0.90.0), python2.6

OK: univention-ldap
OK: univention-join
OK: univention-system-setup
OK: univention-server
OK: univention-ssl
OK: univention-base-files.univention-config-registry-variables
OK: univention-mail-cyrus
OK: univention-pkgdb
OK: univention-printquota
OK: univention-s4-connector
OK: univention-samba4
OK: univention-squid-kerberos
OK: git grep makepasswd
FAIL: comment 5
  There are several locations were "echo -n $(...)" is still used, since $(pwgen) outputs a trailing new-line, which /etc/ldap.secret should not contain. Could be perhaps solved by changing create_machine_password to be something like this: "pwgen ... | tr -d '\n'"?

base/univention-server/debian/univention-server-master.preinst:57
base/univention-server/debian/univention-server-master.preinst:63
base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:123
base/univention-system-setup/usr/lib/univention-system-setup/scripts/setup-join.sh:124

OK: comment 7
OK: comment 9
OK: comment 14
Comment 17 Felix Botner univentionstaff 2013-09-18 09:20:51 CEST
(In reply to Philipp Hahn from comment #16)

> FAIL: Python createMachinePassword
>   missing dependency on pwgen

added dependency to pwgen in python-univention-lib (Bug #31281)

> FAIL: comment 5
>   There are several locations were "echo -n $(...)" is still used, since
> $(pwgen) outputs a trailing new-line, which /etc/ldap.secret should not
> contain. Could be perhaps solved by changing create_machine_password to be
> something like this: "pwgen ... | tr -d '\n'"?

added "pwgen ... | tr -d '\n'" in base.sh:create_machine_password
Comment 18 Philipp Hahn univentionstaff 2013-09-18 13:35:56 CEST
(In reply to Felix Botner from comment #17)
> (In reply to Philipp Hahn from comment #16)
> 
> > FAIL: Python createMachinePassword
> >   missing dependency on pwgen
> 
> added dependency to pwgen in python-univention-lib (Bug #31281)

OK: r44168
OK: dpkg -f python-univention-lib_3.0.13-2.171.201309180919_all.deb Depends

> > FAIL: comment 5
> added "pwgen ... | tr -d '\n'" in base.sh:create_machine_password

OK: r44170
OK: create_machine_password | xxd -g1

OK: 3.0.13-2.171.201309180919
Comment 19 Stefan Gohmann univentionstaff 2013-11-19 06:42:34 CET
UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".