Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please fix the image so that it does not store passwords in clear text #6

Open
siddjain opened this issue May 1, 2019 · 10 comments

Comments

@siddjain
Copy link

commented May 1, 2019

This image stores passwords as clear text. Could this be fixed please so that passwords are stored as {SSHA}?

fwiw we modified the config to add olcPasswordHash: {SSHA} per this but it does not have any effect.

before:

$ cat config/cn=config/olcDatabase={-1}frontend.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 caf1c0c0
dn: olcDatabase={-1}frontend
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=Subschema" by * read
olcAccess: {2}to * by self write by users read by anonymous auth
structuralObjectClass: olcDatabaseConfig
entryUUID: 315ac7fd-f18d-4dae-bad4-a4bb13bdac67
creatorsName: cn=config
createTimestamp: 20190429193904Z
entryCSN: 20190429193904.019284Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190429193904Z

after:

bash-4.4# cat /etc/openldap/slapd.d/'cn=config'/'olcDatabase={-1}frontend.ldif'
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 648305b0
dn: olcDatabase={-1}frontend
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=Subschema" by * read
olcAccess: {2}to * by self write by users read by anonymous auth
structuralObjectClass: olcDatabaseConfig
entryUUID: b5e993b8-588e-4442-8b6e-184bc4b83544
creatorsName: cn=config
createTimestamp: 20190430195010Z
olcPasswordHash: {SSHA}
entryCSN: 20190430204532.177131Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20190430204532Z

but passwords continue to be stored in clear text (base64 encoded).

@siddjain

This comment has been minimized.

Copy link
Author

commented May 1, 2019

[1] is another link we came across on how to enable password hashing. The steps are quite different so we are not sure whether this is more correct or [2].

Is it possible that there is some module or something that needs to be enabled in the Dockerfile configuration for olcPasswordHash to take effect?

@tiredofit

This comment has been minimized.

Copy link
Owner

commented May 1, 2019

I'll have to take a look at this in a few days as I'm a bit a) under the weather b) have a few work related things on the go that are burning. I'm considering wrapping this into the image as a container startup routine based on an environment variable. I think that would be our best and easiest option to target most users.

@tiredofit

This comment has been minimized.

Copy link
Owner

commented May 1, 2019

I just took a quick peek at my running configuration and it seems I have already had it set, likely a manual setting, which is perhaps why you are not seeing these hashed results. I import the ppolicy.schema from /etc/openldap/schema on container init but based on your link that would need to be added to the overlay in the config database. I can't say for sure as I wasn't involved in the heavy migration of our systems to this container, just involved in the building.

To err on the side of caution, I'm thinking of if some var ie HASH is other than plaintext then apply it both to the olc config as per 2 and then also apply that as per 1. It'll be a few days as I mentioned above.

@siddjain

This comment has been minimized.

Copy link
Author

commented May 1, 2019

Thanks Dave.

The other thing I can think of is - did we add the olcPasswordHash entry to the right file?

where is the code that is importing the ppolicy.schema from /etc/openldap/schema on container init?

when we looked at ppolicy.schema file, it looks like it just contains policies like password length, what characters it should have, when it should expire and so on. It doesn't contain anything pertaining to hashed passwords at all.

@tiredofit

This comment has been minimized.

Copy link
Owner

commented May 1, 2019

I would be line 408 - 411 of 10-openldap which does that. But you are correct, that schema looks very strange. Since it's an overlay schema it simply provides the possibility of supporting those values, however doesn't create any ppolicies in itself. If you take a peek at your raw filesystem inside config you'll see where the entries actually reside.
A quick grep on my system came up with this:

grep -R Hash
olcDatabase={-1}frontend.ldif:olcPasswordHash: {SHA}
olcDatabase={1}mdb/olcOverlay={2}ppolicy.ldif:olcPPolicyHashCleartext: TRUE
@siddjain

This comment has been minimized.

Copy link
Author

commented May 1, 2019

this is what we get when we do a grep of Hash:

bash-4.4# grep -R Hash
schema/corba.schema:#        RMI:ClassName:HashCode[:SUID]
schema/corba.schema:#    "java.lang.String"). "HashCode" is the object's hash code (that is,
slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcPasswordHash: {SSHA}

so I think we added the entry to the right file. we do not see any

olcDatabase={1}mdb/olcOverlay={2}ppolicy.ldif:olcPPolicyHashCleartext: TRUE

this is what we have:

bash-4.4# ls 'olcDatabase={1}mdb'
'olcOverlay={0}memberof.ldif'  'olcOverlay={1}refint.ldif'
@siddjain

This comment has been minimized.

Copy link
Author

commented May 1, 2019

also we don't see any line 408 - 411 in 10-openldap. there is just one file in that directory - this and it has only 12 lines

@tiredofit

This comment has been minimized.

Copy link
Owner

commented May 1, 2019

OK that would do it - Would need to setup Ppolicy. I think I know where my Ppolicy came from, which is from my openldap-fusiondirectory container which sets it up automatically.

Lines 260 -274 of that repo has this:

	cat <<EOF > /tmp/04-fusiondirectory-ppolicy.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy

dn: olcOverlay=ppolicy,olcDatabase={1}${BACKEND},cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPpolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=ppolicies,${BASE_DN}
olcPPolicyUseLockout: TRUE
olcPPolicyHashCleartext: TRUE
EOF

And I'm adding it with this: ldapadd -Y EXTERNAL -H 'ldapi:///' -Q -f /tmp/04-fusiondirectory-ppolicy.ldif

@tiredofit

This comment has been minimized.

Copy link
Owner

commented May 1, 2019

Sorry with regards to the 10-openldap - I am meaning /install/etc/cont-init.d/10-openldap which is where all the container setup is, the s6/services/10-openldap/run is simply a run script to allow restarts/graceful shutdowns.

@siddjain

This comment has been minimized.

Copy link
Author

commented May 1, 2019

Thanks Dave. Lines 260 -274 fixed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.