2008-08-19 12:31:26 -05:00
#!/usr/bin/python
#
# Upgrade configuration files to a newer template.
etckrb5conf = "/etc/krb5.conf"
krb5dir = "/var/kerberos/krb5kdc"
cachedir = "/var/cache/ipa"
libdir = "/var/lib/ipa"
basedir = libdir+"/mkey"
ourkrb5conf = basedir+"/krb5.conf"
ldappwdfile = basedir+"/ldappwd"
import sys
try:
from optparse import OptionParser
import os
import random
import time
import shutil
import getpass
import ipa
2009-02-05 14:03:08 -06:00
import ipapython.config
import ipapython.ipautil
2008-08-19 12:31:26 -05:00
import krbV
import ldap
from ldap import LDAPError
from ldap import ldapobject
2008-08-15 11:08:01 -05:00
from ipaclient import ipachangeconf
2008-08-19 12:31:26 -05:00
from ipaserver import ipaldap
from pyasn1.type import univ, namedtype
import pyasn1.codec.ber.encoder
import pyasn1.codec.ber.decoder
import struct
import base64
except ImportError:
print >> sys.stderr, """\
There was a problem importing one of the required Python modules. The
error was:
%s
""" % sys.exc_value
sys.exit(1)
def parse_options():
2008-08-15 11:08:01 -05:00
parser = OptionParser("%prog [--check] [--fix] [--fix-replica]")
2008-08-19 12:31:26 -05:00
parser.add_option("--check", dest="check", action="store_true",
help="Just check for the vulnerability and report (default action)")
parser.add_option("--fix", dest="fix", action="store_true",
help="Run checks and start procedure to fix the problem")
parser.add_option("--fix-replica", dest="fix_replica", action="store_true",
help="Fix a replica after the tool has been tun with --fix on another master")
2009-02-05 14:03:08 -06:00
ipapython.config.add_standard_options(parser)
2008-08-15 11:08:01 -05:00
options, args = parser.parse_args()
2009-02-05 14:03:08 -06:00
ipapython.config.verify_args(parser, args)
2008-08-15 11:08:01 -05:00
if not options.fix and not options.fix_replica and not options.check:
parser.error("please specify at least one option")
2009-02-05 14:03:08 -06:00
ipapython.config.init_config(options)
2008-08-19 12:31:26 -05:00
return options, args
def check_vuln(realm, suffix):
try:
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind()
msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix,
ldap.SCOPE_BASE,
"(objectclass=krbRealmContainer)",
("krbmkey", "cn"))
res = conn.result(msgid)
conn.unbind()
if len(res) != 2:
err = 'Realm Container not found, unable to proceed'
print err
raise Exception, err
if 'krbmkey' in res[1][0][1]:
print 'System vulnerable'
return 1
else:
print 'System *not* vulnerable'
return 0
except Exception, e:
print "Could not connect to the LDAP server, unable to check server"
print "("+type(e)+")("+dir(e)+")"
raise e
# We support only des3 encoded stash files for now
def generate_new_stash_file(file):
2008-08-15 11:08:01 -05:00
odd_parity_bytes_pool = ['\x01', '\x02', '\x04', '\x07', '\x08', '\x0b',
'\r', '\x0e', '\x10', '\x13', '\x15', '\x16', '\x19', '\x1a', '\x1c',
'\x1f', ' ', '#', '%', '&', ')', '*', ',', '/', '1', '2', '4', '7', '8',
';', '=', '>', '@', 'C', 'E', 'F', 'I', 'J', 'L', 'O', 'Q', 'R', 'T',
'W', 'X', '[', ']', '^', 'a', 'b', 'd', 'g', 'h', 'k', 'm', 'n', 'p',
's', 'u', 'v', 'y', 'z', '|', '\x7f', '\x80', '\x83', '\x85', '\x86',
'\x89', '\x8a', '\x8c', '\x8f', '\x91', '\x92', '\x94', '\x97', '\x98',
'\x9b', '\x9d', '\x9e', '\xa1', '\xa2', '\xa4', '\xa7', '\xa8', '\xab',
'\xad', '\xae', '\xb0', '\xb3', '\xb5', '\xb6', '\xb9', '\xba', '\xbc',
'\xbf', '\xc1', '\xc2', '\xc4', '\xc7', '\xc8', '\xcb', '\xcd', '\xce',
'\xd0', '\xd3', '\xd5', '\xd6', '\xd9', '\xda', '\xdc', '\xdf', '\xe0',
'\xe3', '\xe5', '\xe6', '\xe9', '\xea', '\xec', '\xef', '\xf1', '\xf2',
'\xf4', '\xf7', '\xf8', '\xfb', '\xfd', '\xfe']
2008-08-19 12:31:26 -05:00
pool_len = len(odd_parity_bytes_pool)
keytype = 16 # des3
keydata = ""
r = random.SystemRandom()
for k in range(24):
keydata += r.choice(odd_parity_bytes_pool)
format = '=hi%ss' % len(keydata)
s = struct.pack(format, keytype, len(keydata), keydata)
try:
fd = open(file, "w")
fd.write(s)
except os.error, e:
logging.critical("failed to write stash file")
raise e
# clean up procedures
def change_mkey_cleanup(password):
try:
os.stat(basedir)
except:
return None
try:
# always remove ldappwdfile as it contains the Directory Manager password
os.remove(ldappwdfile)
except:
pass
# tar and encrypt the working dir so that we do not leave sensitive data
# around unproteceted
curtime = time.strftime("%Y%m%d%H%M%S",time.gmtime())
tarfile = libdir+"/ipa-change-mkey-"+curtime+".tar"
gpgfile = tarfile+".gpg"
args = ['/bin/tar', '-C', libdir, '-cf', tarfile, 'mkey']
2009-02-05 14:03:08 -06:00
ipapython.ipautil.run(args)
ipapython.ipautil.encrypt_file(tarfile, gpgfile, password, cachedir)
2008-08-19 12:31:26 -05:00
os.remove(tarfile)
shutil.rmtree(basedir, ignore_errors=True)
return "The temporary working directory with backup dump files has been securely archived and gpg-encrypted as "+gpgfile+" using the Directory Manager password."
def change_mkey(password = None, quiet = False):
krbctx = krbV.default_context()
realm = krbctx.default_realm
2009-02-05 14:03:08 -06:00
suffix = ipapython.ipautil.realm_to_suffix(realm)
2008-08-19 12:31:26 -05:00
backupfile = basedir+"/backup.dump"
convertfile = basedir+"/convert.dump"
oldstashfile = krb5dir+"/.k5."+realm
newstashfile = basedir+"/.new.mkey"
bkpstashfile = basedir+"/.k5."+realm
if os.getuid() != 0:
print "ERROR: This command must be run as root"
2008-09-24 12:38:23 -05:00
sys.exit(1)
2008-08-19 12:31:26 -05:00
print "DANGER: This is a dangerous operation, make sure you backup all your IPA data before running the tool"
print "This command will restart your Directory and KDC Servers."
#TODO: ask for confirmation
2009-02-05 14:03:08 -06:00
if not ipapython.ipautil.user_input("Do you want to proceed and change the Kerberos Master key?", False):
2008-08-19 12:31:26 -05:00
print ""
print "Aborting..."
return 1
if not password:
password = getpass.getpass("Directory Manager password: ")
# get a connection to the DS
try:
2009-02-05 14:03:08 -06:00
conn = ipaldap.IPAdmin(ipapython.config.config.default_server[0])
2008-08-19 12:31:26 -05:00
conn.do_simple_bind(bindpw=password)
except Exception, e:
2009-02-05 14:03:08 -06:00
print "ERROR: Could not connect to the Directory Server on "+ipapython.config.config.default_server[0]+" ("+str(e)+")"
2008-08-19 12:31:26 -05:00
return 1
# Wipe basedir and recreate it
shutil.rmtree(basedir, ignore_errors=True)
os.mkdir(basedir, 0700)
generate_new_stash_file(newstashfile)
# Generate conf files
try:
shutil.copyfile(etckrb5conf, ourkrb5conf)
krbconf = ipachangeconf.IPAChangeConf("IPA Installer")
krbconf.setOptionAssignment(" = ")
krbconf.setSectionNameDelimiters(("[","]"))
krbconf.setSubSectionDelimiters(("{","}"))
krbconf.setIndent((""," "," "))
#OPTS
opts = [{'name':'ldap_kadmind_dn', 'type':'option', 'action':'set', 'value':'cn=Directory Manager'},
{'name':'ldap_service_password_file', 'type':'option', 'action':'set', 'value':ldappwdfile}]
#REALM
realmopts = [{'name':realm, 'type':'subsection', 'action':'set', 'value':opts}]
#DBMODULES
dbopts = [{'name':'dbmodules', 'type':'section', 'action':'set', 'value':realmopts}]
krbconf.changeConf(ourkrb5conf, dbopts);
hexpwd = ""
for x in password:
hexpwd += (hex(ord(x))[2:])
pwd_fd = open(ldappwdfile, "w")
pwd_fd.write("cn=Directory Manager#{HEX}"+hexpwd+"\n")
pwd_fd.close()
os.chmod(ldappwdfile, 0600)
except Exception, e:
print "Failed to create custom configuration files ("+str(e)+") aborting..."
return 1
#Set environment vars so that the modified krb5.conf is used
os.environ['KRB5_CONFIG'] = ourkrb5conf
#Backup the kerberos key material for recovery if needed
args = ["/usr/kerberos/sbin/kdb5_util", "dump", "-verbose", backupfile]
print "Performing safety backup of the key material"
try:
2009-02-05 14:03:08 -06:00
output = ipapython.ipautil.run(args)
except ipapython.ipautil.CalledProcessError, e:
2008-08-19 12:31:26 -05:00
print "Failed to backup key material ("+str(e)+"), aborting ..."
return 1
if not quiet:
princlist = output[1].split('\n')
print "Principals stored into the backup file "+backupfile+":"
for p in princlist:
print p
print ""
#Convert the kerberos keys to the new master key
args = ["/usr/kerberos/sbin/kdb5_util", "dump", "-verbose", "-new_mkey_file", newstashfile, convertfile]
print "Converting key material to new master key"
try:
2009-02-05 14:03:08 -06:00
output = ipapython.ipautil.run(args)
except ipapython.ipautil.CalledProcessError, e:
2008-08-19 12:31:26 -05:00
print "Failed to convert key material, aborting ..."
return 1
savedprinclist = output[1].split('\n')
if not quiet:
princlist = output[1].split('\n')
print "Principals dumped for conversion:"
for p in princlist:
print p
print ""
#Stop the KDC
args = ["/etc/init.d/krb5kdc", "stop"]
try:
2009-02-05 14:03:08 -06:00
output = ipapython.ipautil.run(args)
2008-08-19 12:31:26 -05:00
if output[0]:
print output[0]
if output[1]:
print output[1]
2009-02-05 14:03:08 -06:00
except ipapython.ipautil.CalledProcessError, e:
2008-08-19 12:31:26 -05:00
print "WARNING: Failed to restart the KDC ("+str(e)+")"
print "You will have to manually restart the KDC when the operation is completed"
#Change the mkey into ldap
try:
stash = open(newstashfile, "r")
keytype = struct.unpack('h', stash.read(2))[0]
keylen = struct.unpack('i', stash.read(4))[0]
keydata = stash.read(keylen)
#encode it in the asn.1 attribute
MasterKey = univ.Sequence()
MasterKey.setComponentByPosition(0, univ.Integer(keytype))
MasterKey.setComponentByPosition(1, univ.OctetString(keydata))
krbMKey = univ.Sequence()
krbMKey.setComponentByPosition(0, univ.Integer(0)) #we have no kvno
krbMKey.setComponentByPosition(1, MasterKey)
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
dn = "cn="+realm+",cn=kerberos,"+suffix
mod = [(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
conn.modify_s(dn, mod)
except Exception, e:
print "ERROR: Failed to upload the Master Key from the Stash file: "+newstashfile+" ("+str(e)+")"
return 1
#Backup old stash file and substitute with new
try:
shutil.move(oldstashfile, bkpstashfile)
shutil.copyfile(newstashfile, oldstashfile)
except Exception, e:
print "ERROR: An error occurred while installing the new stash file("+str(e)+")"
print "The KDC may fail to start if the correct stash file is not in place"
print "Verify that "+newstashfile+" has been correctly installed into "+oldstashfile
print "A backup copy of the old stash file should be saved in "+bkpstashfile
#Finally upload the converted principals
args = ["/usr/kerberos/sbin/kdb5_util", "load", "-verbose", "-update", convertfile]
print "Uploading converted key material"
try:
2009-02-05 14:03:08 -06:00
output = ipapython.ipautil.run(args)
except ipapython.ipautil.CalledProcessError, e:
2008-08-19 12:31:26 -05:00
print "Failed to upload key material ("+e+"), aborting ..."
return 1
if not quiet:
princlist = output[1].split('\n')
print "Principals converted and uploaded:"
for p in princlist:
print p
print ""
uploadedprinclist = output[1].split('\n')
#Check for differences and report
d = []
for p in savedprinclist:
if uploadedprinclist.count(p) == 0:
d.append(p)
if len(d) != 0:
print "WARNING: Not all dumped principals have been updated"
print "Principals not Updated:"
for p in d:
print p
#Remove custom environ
del os.environ['KRB5_CONFIG']
#Restart Directory Server (the pwd plugin need to read the new mkey)
args = ["/etc/init.d/dirsrv", "restart"]
try:
2009-02-05 14:03:08 -06:00
output = ipapython.ipautil.run(args)
2008-08-19 12:31:26 -05:00
if output[0]:
print output[0]
if output[1]:
print output[1]
2009-02-05 14:03:08 -06:00
except ipapython.ipautil.CalledProcessError, e:
2008-08-19 12:31:26 -05:00
print "WARNING: Failed to restart the Directory Server ("+str(e)+")"
print "Please manually restart the DS with 'service dirsrv restart'"
#Restart the KDC
args = ["/etc/init.d/krb5kdc", "start"]
try:
2009-02-05 14:03:08 -06:00
output = ipapython.ipautil.run(args)
2008-08-19 12:31:26 -05:00
if output[0]:
print output[0]
if output[1]:
print output[1]
2009-02-05 14:03:08 -06:00
except ipapython.ipautil.CalledProcessError, e:
2008-08-19 12:31:26 -05:00
print "WARNING: Failed to restart the KDC ("+str(e)+")"
print "Please manually restart the kdc with 'service krb5kdc start'"
print "Master Password successfully changed"
#print "You MUST now copy the stash file "+oldstashfile+" to all the replicas and restart them!"
print ""
return 0
def fix_replica(password, realm, suffix):
try:
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind("cn=Directory Manager", password)
msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix,
ldap.SCOPE_BASE,
"(objectclass=krbRealmContainer)",
("krbmkey", "cn"))
res = conn.result(msgid)
conn.unbind()
krbmkey = res[1][0][1]['krbmkey'][0]
except Exception, e:
print "Could not connect to the LDAP server, unable to fix server"
print "("+type(e)+")("+dir(e)+")"
raise e
krbMKey = pyasn1.codec.ber.decoder.decode(krbmkey)
keytype = int(krbMKey[0][1][0])
keydata = str(krbMKey[0][1][1])
format = '=hi%ss' % len(keydata)
s = struct.pack(format, keytype, len(keydata), keydata)
try:
fd = open("/var/kerberos/krb5kdc/.k5."+realm, "w")
fd.write(s)
fd.close()
except os.error, e:
print "failed to write stash file"
raise e
#restart KDC so that it can reload the new Master Key
os.system("/etc/init.d/krb5kdc restart")
KRBMKEY_DENY_ACI = """
(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
"""
def fix_main(password, realm, suffix):
#Run the change master key tool
print "Changing Kerberos master key"
try:
ret = change_mkey(password, True)
except SystemExit:
ret = 1
pass
except Exception, e:
ret = 1
print "%s" % str(e)
try:
msg = change_mkey_cleanup(password)
if msg:
print msg
except Exception, e:
print "Failed to clean up the temporary location for the dump files and generate and encrypted archive with error:"
print e
print "Please securely archive/encrypt "+basedir
if ret is not 0:
sys.exit(ret)
#Finally upload new master key
#get the Master Key from the stash file
try:
stash = open("/var/kerberos/krb5kdc/.k5."+realm, "r")
keytype = struct.unpack('h', stash.read(2))[0]
keylen = struct.unpack('i', stash.read(4))[0]
keydata = stash.read(keylen)
except os.error:
print "Failed to retrieve Master Key from Stash file: %s"
raise e
#encode it in the asn.1 attribute
MasterKey = univ.Sequence()
MasterKey.setComponentByPosition(0, univ.Integer(keytype))
MasterKey.setComponentByPosition(1, univ.OctetString(keydata))
krbMKey = univ.Sequence()
krbMKey.setComponentByPosition(0, univ.Integer(0)) #we have no kvno
krbMKey.setComponentByPosition(1, MasterKey)
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
dn = "cn=%s,cn=kerberos,%s" % (realm, suffix)
sub_dict = dict(REALM=realm, SUFFIX=suffix)
#protect the master key by adding an appropriate deny rule along with the key
2009-02-05 14:03:08 -06:00
mod = [(ldap.MOD_ADD, 'aci', ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)),
2008-08-19 12:31:26 -05:00
(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind("cn=Directory Manager", password)
conn.modify_s(dn, mod)
conn.unbind()
print "\n"
print "This server is now correctly configured and the master-key has been changed and secured."
print "Please now run this tool with the --fix-replica option on all your other replicas."
print "Until you fix the replicas their KDCs will not work."
def main():
options, args = parse_options()
if options.fix or options.fix_replica:
password = getpass.getpass("Directory Manager password: ")
krbctx = krbV.default_context()
realm = krbctx.default_realm
2009-02-05 14:03:08 -06:00
suffix = ipapython.ipautil.realm_to_suffix(realm)
2008-08-19 12:31:26 -05:00
try:
ret = check_vuln(realm, suffix)
except:
sys.exit(1)
if options.fix_replica:
if ret is 1:
print "Your system is still vulnerable"
print "If you have already run this tool with --fix on a master then make sure your replication is working correctly, before runnig --fix-replica"
sys.exit(1)
try:
fix_replica(password, realm, suffix)
except Exception, e:
print "Unexpected error ("+str(e)+")"
sys.exit(1)
sys.exit(0)
if options.check:
sys.exit(0)
if options.fix:
if ret is 1:
try:
ret = fix_main(password, realm, suffix)
except Exception, e:
print "Unexpected error ("+str(e)+")"
sys.exit(1)
sys.exit(ret)
try:
if __name__ == "__main__":
sys.exit(main())
except SystemExit, e:
sys.exit(e)
except KeyboardInterrupt, e:
sys.exit(1)
