Default password is not set properly for Red Hats
|Target version:||Sprint 16|
|Found in release:||Pull request:|
|Velocity based estimate||-|
Steps to reproduce:
1. Install foreman
1. Change default encrypted password in settings to something else like "abcdefg"
1. Provision a RHEL 6.4 host using default kickstart template
1. Do not set any password in the New Host page, make sure it is blank in the form
1. Try to login with "abcdefg"
Does not work. Spoof kickstart and note this:
rootpw --iscrypted dog8code
It looks like we should encrypt the password when saving it into the settings. In the settings table it is stored in cleartext, the host record is set to nil.
Setting to higher priority as new users will hit this.
#2 Updated by Lukas Zapletal over 4 years ago
Couple of observations:
Default password set in settings in a clean installation is: xybxa6JUkz63w
When I create a new host with no password set, it renders to this in kickstart:
rootpw --iscrypted xybxa6JUkz63w
I am not sure if this is correct at all, I'd expect $N$salt$hash there. Anyway, it does not work, I cannot login with "123123".
When I try to change default pass in settings to anything, it renders again as:
rootpw --iscrypted anything
Which does not work at all for me. I am testing RHEL6.
#3 Updated by Greg Sutcliffe over 4 years ago
The last part of what you say is correct. Since the Setting asks for the encrypted password, I would indeed expect a Setting of "anything" to render as "rootpw --iscrypted anything".
Looking at app/models/concerns/host_common.rb#96 for normal host(group) passwords we test for a $ at the start of the string and encrypt if it's not present. We don't do this at app/models/host/managed.rb#592, so the correct solution is probably to test for a $ in the setting and add a random hash to the start if it's not already there.
In case anyone asks, I don't think it's correct to store either the salt or the unencrypted password in the Settings menu - it's accessible to many levels of user permissions.