IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Require a minimum SASL security factor of 56

Browse Source 
SSF_MINX 56 level ensures data integrity and confidentiality for SASL
GSSAPI and SASL GSS SPNEGO connections.

Although at least AES128 is enforced pretty much everywhere, 56 is required
for backwards compatibility with systems that announce wrong SSF.

Related: https://pagure.io/freeipa/issue/7140
Related: https://pagure.io/freeipa/issue/4580
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
This commit is contained in:
Christian Heimes
2019-02-05 15:19:43 +01:00
committed by Tibor Dudlák
parent 1dfac4f5b7
commit 3509545897
5 changed files with 38 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
install/share/Makefile.am
View File

@@ -94,6 +94,7 @@ dist_app_DATA = \
ipa-kdc-proxy.conf.template \ ipa-kdc-proxy.conf.template \
ipa-pki-proxy.conf.template \ ipa-pki-proxy.conf.template \
ipa-rewrite.conf.template \ ipa-rewrite.conf.template \
min-ssf.ldif \
$(NULL) $(NULL)
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy

14
install/share/min-ssf.ldif Normal file
View File

@@ -0,0 +1,14 @@
# config
# pretend SSF for LDAPI connections
# nsslapd-localssf must be equal to or greater than nsslapd-minssf
dn: cn=config
changetype: modify
replace: nsslapd-localssf
nsslapd-localssf: 256
# minimum security strength factor for SASL and TLS
# 56 is considered weak, but some old clients announce wrong SSF.
dn: cn=config
changetype: modify
replace: nsslapd-minssf
nsslapd-minssf: 56

3
ipalib/constants.py
View File

@@ -309,6 +309,9 @@ TLS_VERSIONS = [
] ]
TLS_VERSION_MINIMAL = "tls1.0" TLS_VERSION_MINIMAL = "tls1.0"
# minimum SASL secure strength factor for LDAP connections
# 56 provides backwards compatibility with old libraries.
LDAP_SSF_MIN_THRESHOLD = 56
# Use cache path # Use cache path
USER_CACHE_PATH = ( USER_CACHE_PATH = (

17
ipapython/ipaldap.py
View File

@@ -43,7 +43,9 @@ import six
# pylint: disable=ipa-forbidden-import # pylint: disable=ipa-forbidden-import
from ipalib import errors, x509, _ from ipalib import errors, x509, _
from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT from ipalib.constants import (
LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
)
# pylint: enable=ipa-forbidden-import # pylint: enable=ipa-forbidden-import
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython.ipautil import format_netloc, CIDict from ipapython.ipautil import format_netloc, CIDict
@@ -103,7 +105,8 @@ def realm_to_ldapi_uri(realm_name):
return 'ldapi://' + ldapurl.ldapUrlEscape(socketname) return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
def ldap_initialize(uri, cacertfile=None): def ldap_initialize(uri, cacertfile=None,
ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
"""Wrapper around ldap.initialize() """Wrapper around ldap.initialize()
The function undoes global and local ldap.conf settings that may cause The function undoes global and local ldap.conf settings that may cause
@@ -114,6 +117,10 @@ def ldap_initialize(uri, cacertfile=None):
locations, also known as system-wide trust store. locations, also known as system-wide trust store.
* Cert validation is enforced. * Cert validation is enforced.
* SSLv2 and SSLv3 are disabled. * SSLv2 and SSLv3 are disabled.
* Require a minimum SASL security factor of 56. That level ensures
data integrity and confidentiality. Although at least AES128 is
enforced pretty much everywhere, 56 is required for backwards
compatibility with systems that announce wrong SSF.
""" """
conn = ldap.initialize(uri) conn = ldap.initialize(uri)
@@ -121,6 +128,12 @@ def ldap_initialize(uri, cacertfile=None):
conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON) conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
if not uri.startswith('ldapi://'): if not uri.startswith('ldapi://'):
# require a minimum SSF for TCP connections, but don't lower SSF_MIN
# if the current value is already larger.
cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
if cur_min_ssf < ssf_min_threshold:
conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
if cacertfile: if cacertfile:
if not os.path.isfile(cacertfile): if not os.path.isfile(cacertfile):
raise IOError(errno.ENOENT, cacertfile) raise IOError(errno.ENOENT, cacertfile)

5
ipaserver/install/dsinstance.py
View File

@@ -324,6 +324,8 @@ class DsInstance(service.Service):
else: else:
self.step("importing CA certificates from LDAP", self.step("importing CA certificates from LDAP",
self.__import_ca_certs) self.__import_ca_certs)
# set min SSF after DS is configured for TLS
self.step("require minimal SSF", self.__min_ssf)
self.step("restarting directory server", self.__restart_instance) self.step("restarting directory server", self.__restart_instance)
self.start_creation() self.start_creation()
@@ -1241,6 +1243,9 @@ class DsInstance(service.Service):
dm_password=self.dm_password dm_password=self.dm_password
) )
def __min_ssf(self):
self._ldap_mod("min-ssf.ldif")
def __add_sudo_binduser(self): def __add_sudo_binduser(self):
self._ldap_mod("sudobind.ldif", self.sub_dict) self._ldap_mod("sudobind.ldif", self.sub_dict)