IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add script to simplify operations to fix CVE 2008 3274

Browse Source 
Import all of change master key directly into the help fix,
allows for better control
This commit is contained in:
Simo Sorce 2008-08-19 13:31:26 -04:00
parent 8e7c98eb7f
commit 57669ba432
3 changed files with 521 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ipa-server/Makefile.am
View File

@ -16,6 +16,7 @@ SUBDIRS = \
sbin_SCRIPTS = \
ipa-upgradeconfig \
ipa-fix-CVE-2008-3274 \
$(NULL)
install-exec-local:

519
ipa-server/ipa-fix-CVE-2008-3274 Normal file
View File

@ -0,0 +1,519 @@
#!/usr/bin/python
#
# Upgrade configuration files to a newer template.
etckrb5conf = "/etc/krb5.conf"
krb5dir = "/var/kerberos/krb5kdc"
cachedir = "/var/cache/ipa"
libdir = "/var/lib/ipa"
basedir = libdir+"/mkey"
ourkrb5conf = basedir+"/krb5.conf"
ldappwdfile = basedir+"/ldappwd"
import sys
try:
from optparse import OptionParser
import os
import random
import time
import shutil
import getpass
import ipa
import ipa.config
import ipa.ipautil
import krbV
import ldap
from ldap import LDAPError
from ldap import ldapobject
from ipaclient import ipachangeconf
from ipaserver import ipaldap
from pyasn1.type import univ, namedtype
import pyasn1.codec.ber.encoder
import pyasn1.codec.ber.decoder
import struct
import base64
except ImportError:
print >> sys.stderr, """\
There was a problem importing one of the required Python modules. The
error was:
%s
""" % sys.exc_value
sys.exit(1)
def usage():
print "ipa-fix-CVE-2008-3274 [--check] [--fix] [--fix-replica]"
sys.exit(1)
def parse_options():
parser = OptionParser()
parser.add_option("--check", dest="check", action="store_true",
help="Just check for the vulnerability and report (default action)")
parser.add_option("--fix", dest="fix", action="store_true",
help="Run checks and start procedure to fix the problem")
parser.add_option("--fix-replica", dest="fix_replica", action="store_true",
help="Fix a replica after the tool has been tun with --fix on another master")
parser.add_option("--usage", action="store_true",
help="Program usage")
args = ipa.config.init_config(sys.argv)
options, args = parser.parse_args(args)
return options, args
def check_vuln(realm, suffix):
try:
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind()
msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix,
ldap.SCOPE_BASE,
"(objectclass=krbRealmContainer)",
("krbmkey", "cn"))
res = conn.result(msgid)
conn.unbind()
if len(res) != 2:
err = 'Realm Container not found, unable to proceed'
print err
raise Exception, err
if 'krbmkey' in res[1][0][1]:
print 'System vulnerable'
return 1
else:
print 'System *not* vulnerable'
return 0
except Exception, e:
print "Could not connect to the LDAP server, unable to check server"
print "("+type(e)+")("+dir(e)+")"
raise e
# We support only des3 encoded stash files for now
def generate_new_stash_file(file):
odd_parity_bytes_pool = ['\x01', '\x02', '\x04', '\x07', '\x08', '\x0b', '\r', '\x0e', '\x10', '\x13', '\x15', '\x16', '\x19', '\x1a', '\x1c', '\x1f', ' ', '#', '%', '&', ')', '*', ',', '/', '1', '2', '4', '7', '8', ';', '=', '>', '@', 'C', 'E', 'F', 'I', 'J', 'L', 'O', 'Q', 'R', 'T', 'W', 'X', '[', ']', '^', 'a', 'b', 'd', 'g', 'h', 'k', 'm', 'n', 'p', 's', 'u', 'v', 'y', 'z', '|', '\x7f', '\x80', '\x83', '\x85', '\x86', '\x89', '\x8a', '\x8c', '\x8f', '\x91', '\x92', '\x94', '\x97', '\x98', '\x9b', '\x9d', '\x9e', '\xa1', '\xa2', '\xa4', '\xa7', '\xa8', '\xab', '\xad', '\xae', '\xb0', '\xb3', '\xb5', '\xb6', '\xb9', '\xba', '\xbc', '\xbf', '\xc1', '\xc2', '\xc4', '\xc7', '\xc8', '\xcb', '\xcd', '\xce', '\xd0', '\xd3', '\xd5', '\xd6', '\xd9', '\xda', '\xdc', '\xdf', '\xe0', '\xe3',
'\xe5', '\xe6', '\xe9', '\xea', '\xec', '\xef', '\xf1', '\xf2', '\xf4', '\xf7',
'\xf8', '\xfb', '\xfd', '\xfe']
pool_len = len(odd_parity_bytes_pool)
keytype = 16 # des3
keydata = ""
r = random.SystemRandom()
for k in range(24):
keydata += r.choice(odd_parity_bytes_pool)
format = '=hi%ss' % len(keydata)
s = struct.pack(format, keytype, len(keydata), keydata)
try:
fd = open(file, "w")
fd.write(s)
except os.error, e:
logging.critical("failed to write stash file")
raise e
# clean up procedures
def change_mkey_cleanup(password):
try:
os.stat(basedir)
except:
return None
try:
# always remove ldappwdfile as it contains the Directory Manager password
os.remove(ldappwdfile)
except:
pass
# tar and encrypt the working dir so that we do not leave sensitive data
# around unproteceted
curtime = time.strftime("%Y%m%d%H%M%S",time.gmtime())
tarfile = libdir+"/ipa-change-mkey-"+curtime+".tar"
gpgfile = tarfile+".gpg"
args = ['/bin/tar', '-C', libdir, '-cf', tarfile, 'mkey']
ipa.ipautil.run(args)
ipa.ipautil.encrypt_file(tarfile, gpgfile, password, cachedir)
os.remove(tarfile)
shutil.rmtree(basedir, ignore_errors=True)
return "The temporary working directory with backup dump files has been securely archived and gpg-encrypted as "+gpgfile+" using the Directory Manager password."
def change_mkey(password = None, quiet = False):
krbctx = krbV.default_context()
realm = krbctx.default_realm
suffix = ipa.ipautil.realm_to_suffix(realm)
backupfile = basedir+"/backup.dump"
convertfile = basedir+"/convert.dump"
oldstashfile = krb5dir+"/.k5."+realm
newstashfile = basedir+"/.new.mkey"
bkpstashfile = basedir+"/.k5."+realm
if os.getuid() != 0:
print "ERROR: This command must be run as root"
print "DANGER: This is a dangerous operation, make sure you backup all your IPA data before running the tool"
print "This command will restart your Directory and KDC Servers."
#TODO: ask for confirmation
if not ipa.ipautil.user_input("Do you want to proceed and change the Kerberos Master key?", False):
print ""
print "Aborting..."
return 1
if not password:
password = getpass.getpass("Directory Manager password: ")
# get a connection to the DS
try:
conn = ipaldap.IPAdmin(ipa.config.config.default_server[0])
conn.do_simple_bind(bindpw=password)
except Exception, e:
print "ERROR: Could not connect to the Directory Server on "+ipa.config.config.default_server[0]+" ("+str(e)+")"
return 1
# Wipe basedir and recreate it
shutil.rmtree(basedir, ignore_errors=True)
os.mkdir(basedir, 0700)
generate_new_stash_file(newstashfile)
# Generate conf files
try:
shutil.copyfile(etckrb5conf, ourkrb5conf)
krbconf = ipachangeconf.IPAChangeConf("IPA Installer")
krbconf.setOptionAssignment(" = ")
krbconf.setSectionNameDelimiters(("[","]"))
krbconf.setSubSectionDelimiters(("{","}"))
krbconf.setIndent((""," "," "))
#OPTS
opts = [{'name':'ldap_kadmind_dn', 'type':'option', 'action':'set', 'value':'cn=Directory Manager'},
{'name':'ldap_service_password_file', 'type':'option', 'action':'set', 'value':ldappwdfile}]
#REALM
realmopts = [{'name':realm, 'type':'subsection', 'action':'set', 'value':opts}]
#DBMODULES
dbopts = [{'name':'dbmodules', 'type':'section', 'action':'set', 'value':realmopts}]
krbconf.changeConf(ourkrb5conf, dbopts);
hexpwd = ""
for x in password:
hexpwd += (hex(ord(x))[2:])
pwd_fd = open(ldappwdfile, "w")
pwd_fd.write("cn=Directory Manager#{HEX}"+hexpwd+"\n")
pwd_fd.close()
os.chmod(ldappwdfile, 0600)
except Exception, e:
print "Failed to create custom configuration files ("+str(e)+") aborting..."
return 1
#Set environment vars so that the modified krb5.conf is used
os.environ['KRB5_CONFIG'] = ourkrb5conf
#Backup the kerberos key material for recovery if needed
args = ["/usr/kerberos/sbin/kdb5_util", "dump", "-verbose", backupfile]
print "Performing safety backup of the key material"
try:
output = ipa.ipautil.run(args)
except ipa.ipautil.CalledProcessError, e:
print "Failed to backup key material ("+str(e)+"), aborting ..."
return 1
if not quiet:
princlist = output[1].split('\n')
print "Principals stored into the backup file "+backupfile+":"
for p in princlist:
print p
print ""
#Convert the kerberos keys to the new master key
args = ["/usr/kerberos/sbin/kdb5_util", "dump", "-verbose", "-new_mkey_file", newstashfile, convertfile]
print "Converting key material to new master key"
try:
output = ipa.ipautil.run(args)
except ipa.ipautil.CalledProcessError, e:
print "Failed to convert key material, aborting ..."
return 1
savedprinclist = output[1].split('\n')
if not quiet:
princlist = output[1].split('\n')
print "Principals dumped for conversion:"
for p in princlist:
print p
print ""
#Stop the KDC
args = ["/etc/init.d/krb5kdc", "stop"]
try:
output = ipa.ipautil.run(args)
if output[0]:
print output[0]
if output[1]:
print output[1]
except ipa.ipautil.CalledProcessError, e:
print "WARNING: Failed to restart the KDC ("+str(e)+")"
print "You will have to manually restart the KDC when the operation is completed"
#Change the mkey into ldap
try:
stash = open(newstashfile, "r")
keytype = struct.unpack('h', stash.read(2))[0]
keylen = struct.unpack('i', stash.read(4))[0]
keydata = stash.read(keylen)
#encode it in the asn.1 attribute
MasterKey = univ.Sequence()
MasterKey.setComponentByPosition(0, univ.Integer(keytype))
MasterKey.setComponentByPosition(1, univ.OctetString(keydata))
krbMKey = univ.Sequence()
krbMKey.setComponentByPosition(0, univ.Integer(0)) #we have no kvno
krbMKey.setComponentByPosition(1, MasterKey)
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
dn = "cn="+realm+",cn=kerberos,"+suffix
mod = [(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
conn.modify_s(dn, mod)
except Exception, e:
print "ERROR: Failed to upload the Master Key from the Stash file: "+newstashfile+" ("+str(e)+")"
return 1
#Backup old stash file and substitute with new
try:
shutil.move(oldstashfile, bkpstashfile)
shutil.copyfile(newstashfile, oldstashfile)
except Exception, e:
print "ERROR: An error occurred while installing the new stash file("+str(e)+")"
print "The KDC may fail to start if the correct stash file is not in place"
print "Verify that "+newstashfile+" has been correctly installed into "+oldstashfile
print "A backup copy of the old stash file should be saved in "+bkpstashfile
#Finally upload the converted principals
args = ["/usr/kerberos/sbin/kdb5_util", "load", "-verbose", "-update", convertfile]
print "Uploading converted key material"
try:
output = ipa.ipautil.run(args)
except ipa.ipautil.CalledProcessError, e:
print "Failed to upload key material ("+e+"), aborting ..."
return 1
if not quiet:
princlist = output[1].split('\n')
print "Principals converted and uploaded:"
for p in princlist:
print p
print ""
uploadedprinclist = output[1].split('\n')
#Check for differences and report
d = []
for p in savedprinclist:
if uploadedprinclist.count(p) == 0:
d.append(p)
if len(d) != 0:
print "WARNING: Not all dumped principals have been updated"
print "Principals not Updated:"
for p in d:
print p
#Remove custom environ
del os.environ['KRB5_CONFIG']
#Restart Directory Server (the pwd plugin need to read the new mkey)
args = ["/etc/init.d/dirsrv", "restart"]
try:
output = ipa.ipautil.run(args)
if output[0]:
print output[0]
if output[1]:
print output[1]
except ipa.ipautil.CalledProcessError, e:
print "WARNING: Failed to restart the Directory Server ("+str(e)+")"
print "Please manually restart the DS with 'service dirsrv restart'"
#Restart the KDC
args = ["/etc/init.d/krb5kdc", "start"]
try:
output = ipa.ipautil.run(args)
if output[0]:
print output[0]
if output[1]:
print output[1]
except ipa.ipautil.CalledProcessError, e:
print "WARNING: Failed to restart the KDC ("+str(e)+")"
print "Please manually restart the kdc with 'service krb5kdc start'"
print "Master Password successfully changed"
#print "You MUST now copy the stash file "+oldstashfile+" to all the replicas and restart them!"
print ""
return 0
def fix_replica(password, realm, suffix):
try:
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind("cn=Directory Manager", password)
msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix,
ldap.SCOPE_BASE,
"(objectclass=krbRealmContainer)",
("krbmkey", "cn"))
res = conn.result(msgid)
conn.unbind()
krbmkey = res[1][0][1]['krbmkey'][0]
except Exception, e:
print "Could not connect to the LDAP server, unable to fix server"
print "("+type(e)+")("+dir(e)+")"
raise e
krbMKey = pyasn1.codec.ber.decoder.decode(krbmkey)
keytype = int(krbMKey[0][1][0])
keydata = str(krbMKey[0][1][1])
format = '=hi%ss' % len(keydata)
s = struct.pack(format, keytype, len(keydata), keydata)
try:
fd = open("/var/kerberos/krb5kdc/.k5."+realm, "w")
fd.write(s)
fd.close()
except os.error, e:
print "failed to write stash file"
raise e
#restart KDC so that it can reload the new Master Key
os.system("/etc/init.d/krb5kdc restart")
KRBMKEY_DENY_ACI = """
(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
"""
def fix_main(password, realm, suffix):
#Run the change master key tool
print "Changing Kerberos master key"
try:
ret = change_mkey(password, True)
except SystemExit:
ret = 1
pass
except Exception, e:
ret = 1
print "%s" % str(e)
try:
msg = change_mkey_cleanup(password)
if msg:
print msg
except Exception, e:
print "Failed to clean up the temporary location for the dump files and generate and encrypted archive with error:"
print e
print "Please securely archive/encrypt "+basedir
if ret is not 0:
sys.exit(ret)
#Finally upload new master key
#get the Master Key from the stash file
try:
stash = open("/var/kerberos/krb5kdc/.k5."+realm, "r")
keytype = struct.unpack('h', stash.read(2))[0]
keylen = struct.unpack('i', stash.read(4))[0]
keydata = stash.read(keylen)
except os.error:
print "Failed to retrieve Master Key from Stash file: %s"
raise e
#encode it in the asn.1 attribute
MasterKey = univ.Sequence()
MasterKey.setComponentByPosition(0, univ.Integer(keytype))
MasterKey.setComponentByPosition(1, univ.OctetString(keydata))
krbMKey = univ.Sequence()
krbMKey.setComponentByPosition(0, univ.Integer(0)) #we have no kvno
krbMKey.setComponentByPosition(1, MasterKey)
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
dn = "cn=%s,cn=kerberos,%s" % (realm, suffix)
sub_dict = dict(REALM=realm, SUFFIX=suffix)
#protect the master key by adding an appropriate deny rule along with the key
mod = [(ldap.MOD_ADD, 'aci', ipa.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)),
(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind("cn=Directory Manager", password)
conn.modify_s(dn, mod)
conn.unbind()
print "\n"
print "This server is now correctly configured and the master-key has been changed and secured."
print "Please now run this tool with the --fix-replica option on all your other replicas."
print "Until you fix the replicas their KDCs will not work."
def main():
options, args = parse_options()
if options.usage:
usage()
if not options.fix and not options.fix_replica and not options.check:
print "use --help for more info"
usage()
if options.fix or options.fix_replica:
password = getpass.getpass("Directory Manager password: ")
krbctx = krbV.default_context()
realm = krbctx.default_realm
suffix = ipa.ipautil.realm_to_suffix(realm)
try:
ret = check_vuln(realm, suffix)
except:
sys.exit(1)
if options.fix_replica:
if ret is 1:
print "Your system is still vulnerable"
print "If you have already run this tool with --fix on a master then make sure your replication is working correctly, before runnig --fix-replica"
sys.exit(1)
try:
fix_replica(password, realm, suffix)
except Exception, e:
print "Unexpected error ("+str(e)+")"
sys.exit(1)
sys.exit(0)
if options.check:
sys.exit(0)
if options.fix:
if ret is 1:
try:
ret = fix_main(password, realm, suffix)
except Exception, e:
print "Unexpected error ("+str(e)+")"
sys.exit(1)
sys.exit(ret)
try:
if __name__ == "__main__":
sys.exit(main())
except SystemExit, e:
sys.exit(e)
except KeyboardInterrupt, e:
sys.exit(1)

1
ipa-server/ipa-server.spec.in
View File

@ -123,6 +123,7 @@ fi
%{_sbindir}/ipa_kpasswd
%{_sbindir}/ipa_webgui
%{_sbindir}/ipa-upgradeconfig
%{_sbindir}/ipa-fix-CVE-2008-3274
%attr(755,root,root) %{_initrddir}/ipa_kpasswd
%attr(755,root,root) %{_initrddir}/ipa_webgui