Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FortiOS changes private key encryption every time config is downloaded #931

Closed
gbeekmans opened this issue Jul 10, 2017 · 14 comments
Closed

FortiOS changes private key encryption every time config is downloaded #931

gbeekmans opened this issue Jul 10, 2017 · 14 comments
Labels
device_model help_wanted No one is working on this issue. If no one fixes it, it will be automaticaly closed after some time. soliciting_pr

Comments

@gbeekmans
Copy link

A feature of FortiOS is that it is designed to re-encrypt Private Key passwords which uses an initialization vector that contains random data. Each time the config is backed up or displayed, a different string is used to in order to enhance security.

The net effect is that every time Oxidized logs into a Fortigate (presumably other devices by Fortinet as well but Fortigate is the only one I use), it detects config changes. I can't run Oxidized as a daemon including all our Fortigates as it constantly sees changes. My only recourse so far is to run Oxidized manually once in a while to capture any changes that may have been applied.

I contacted tech support and they advised me that there is no way to turn this behaviour off aside from removing passwords from private keys which is not an option for us.

This unfortunately would need to be handled client-side in Oxidized itself. It would be okay if it ignored private key changes by way of a configuration option (I'd take on the responsibility myself to ensure I have recent backups or private keys if they need to be restored).

In essence a starting point would be to ignore any text between these markers:

set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----

-----END ENCRYPTED PRIVATE KEY-----"

"set private-key" is space intended so a regex like .*set private-key would work.

Could this be easily implemented by way of an updated fortios.rb model? I have been unsuccessful at figuring out how to do multi-line match & ignore like this.

Thanks,
Gerard Beekmans
@gbeekmans
Copy link
Author

gbeekmans commented Jul 10, 2017
edited by danilopopeye
Loading

I just noticed this section in the fortios.rb file:

  cmd :secret do |cfg|
    cfg.gsub! /(set (?:passwd|password|psksecret)).*/, '\\1 <configuration removed>'
    cfg.gsub! /(set private-key).*-+END ENCRYPTED PRIVATE KEY-*"$/m , '\\1 <configuration removed>'
    cfg
  end

I believe it's already supposed to strip out encrypted private keys but it's obviously not doing that.

Could it be due to the fact "set private-key" is preceeded by white space, or is it because :secret has a special meaning that needs to be turned on as a variable? I see this :secret in many files but I can't find in the documentation how it's to be used.

@ytti
Copy link
Owner

ytti commented Jul 10, 2017
edited by danilopopeye
Loading

Yes it can be easily done. It's more of a ruby question than Oxidized question. You could do something like.

cmd 'something' do |cfg|
  out = ""
  skip_line = false
  cfg.lines.each do |line|
    skip_line = true if line.match /BEGIN ENCRYPTED PRIVATE KEY/
    skip_line = false if line.match /END ENCRYPTED PRIVATE KEY/
    (out << line) unless skip_line
  end
  out
end

Or bazillion other ways to do it.

@gbeekmans
Copy link
Author

Thanks, ytti. I will try that. I just found an answer to the ":secret" question by setting the remove_secret variable but I am finding it removes too many secrets. I want to keep most of them so I will try your Ruby method above and build on that.

@gbeekmans
Copy link
Author

I think I have a working rewritten fortios.rb model now. Attached is a diff against the original one in case you want to take these changes and incorporate them.

fortios.rb.zip

@danilopopeye
Copy link
Contributor

danilopopeye commented Jul 18, 2017
edited
Loading

Attached is a diff against the original one in case you want to take these changes and incorporate them.

@gbeekmans could you open a pull request with your diffs?

I think I have a working rewritten fortios.rb model now.

since your problem seems to be resolved, can you close this issue?

@danilopopeye danilopopeye added device_model help_wanted No one is working on this issue. If no one fixes it, it will be automaticaly closed after some time. user_pending labels Jul 18, 2017
@sfini
Copy link
Contributor

sfini commented Aug 2, 2017
edited
Loading

I have removed the private keys with this

  cmd :secret do |cfg|
#    cfg.gsub! /(set (?:passwd|password|psksecret|secret|key|group-password|secondary-secret|tertiary-secret ENC)).*/, '\\1 <configuration removed>'
    cfg.gsub! /(ENC ).*/, '\\1 <configuration removed>'
    cfg.gsub! /(set private-key).*-+END ENCRYPTED PRIVATE KEY-*"$/m , '\\1 <configuration removed>'
    cfg.gsub! /(set ca ).*-+END CERTIFICATE-*"$/m , '\\1 <configuration removed>'
    cfg.gsub! /(set csr ).*-+END CERTIFICATE REQUEST-*"$/m , '\\1 <configuration removed>'
    cfg
  end

@laf
Copy link
Contributor

laf commented Sep 27, 2017

@gbeekmans / @sfini can one of you submit a pull request with the fix?

@sfini
Copy link
Contributor

sfini commented Sep 28, 2017

@laf
Sure

sfini added a commit to sfini/oxidized that referenced this issue Sep 28, 2017
@sfini
Update fortios.rb
f33d411 
Modify script for discard changes private key encryption every time config is downloaded  
ytti#931
This was referenced Sep 28, 2017
Closed
Merged
laf pushed a commit that referenced this issue Dec 15, 2017
@sfini @laf
model: Update fortios.rb (#1047)
7b98d72 
* Update fortios.rb

Modify script for discard changes private key encryption every time config is downloaded  
#931

* Update fortios.rb

* Update fortios.rb

* Update fortios.rb

Added filter for inter-controller-key and Cluster uptime.
After update to version 5.6 inter-controller-key change every time config is downloaded .
Cluster uptime is now present and change every time config is downloaded .

* Update fortios.rb

Added rsso secret configuration remove

* Update fortios.rb

Added (Virus-DB|Extended DB|IPS-DB|IPS-ETDB|APP-DB|INDUSTRIAL-DB|Botnet DB|IPS Malicious URL Database) to the script , as suggested in #1119
@laf
Copy link
Contributor

laf commented Dec 15, 2017

Fix merged in.

@laf laf closed this as completed Dec 15, 2017
@papatango71 papatango71 mentioned this issue Jan 10, 2018
Closed
@nvmike
Copy link

nvmike commented Feb 26, 2018

I am using #1047 and on every run I have notification of changed key.
Forti with vdom
my global conf for the model is :
model: fortios
interval: 21600
use_syslog: false
debug: true
remove_secret: true
threads: 30
timeout: 120
retries: 3

I am getting lost with this

@sfini
Copy link
Contributor

sfini commented Feb 26, 2018

@nvmike
This issue is closed..

Please open a new issue , and write which key is change every time ( there are a lot )

Simone

@nvmike
Copy link

nvmike commented Feb 26, 2018 via email

@nvmike
Copy link

nvmike commented Feb 26, 2018

@sfini - Thank you - I did open #1199
Mike

@pfunkylol pfunkylol mentioned this issue Apr 1, 2022
Closed
@anubisg1
Copy link
Contributor

This issue still persists with version 0.30.1

@anubisg1 anubisg1 mentioned this issue May 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
device_model help_wanted No one is working on this issue. If no one fixes it, it will be automaticaly closed after some time. soliciting_pr
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@danilopopeye @ytti @laf @anubisg1 @nvmike @gbeekmans @sfini