Bug #3241

Default password is not set properly for Red Hats

Added by Lukas Zapletal over 4 years ago. Updated over 4 years ago.

Status:Closed
Priority:High
Assigned To:-
Category:Web Interface
Target version:Sprint 16
Difficulty:easy Bugzilla link:
Found in release: Pull request:
Story points-
Velocity based estimate-
Release1.4.0Release relationshipAuto

Description

Steps to reproduce:

1. Install foreman
1. Change default encrypted password in settings to something else like "abcdefg"
1. Provision a RHEL 6.4 host using default kickstart template
1. Do not set any password in the New Host page, make sure it is blank in the form
1. Try to login with "abcdefg"

Does not work. Spoof kickstart and note this:

rootpw --iscrypted dog8code

It looks like we should encrypt the password when saving it into the settings. In the settings table it is stored in cleartext, the host record is set to nil.

Setting to higher priority as new users will hit this.

Associated revisions

Revision b93373a8
Added by Lukas Zapletal over 4 years ago

fixes #3241 - default password is now MD5

Revision 643e4dad
Added by Lukas Zapletal over 4 years ago

fixes #3241 - default password is now MD5

(cherry picked from commit b93373a828578f941d4020c70682bbe1409d28cd)

History

#1 Updated by Lukas Zapletal over 4 years ago

For me even the default password "123123" does not work. What I see after installation of Foreman 1.3 RC4 is some encrypted text in settings. But it apparently does not work well with Anaconda.

#2 Updated by Lukas Zapletal over 4 years ago

Couple of observations:

Default password set in settings in a clean installation is: xybxa6JUkz63w

When I create a new host with no password set, it renders to this in kickstart:

rootpw --iscrypted xybxa6JUkz63w

I am not sure if this is correct at all, I'd expect $N$salt$hash there. Anyway, it does not work, I cannot login with "123123".

When I try to change default pass in settings to anything, it renders again as:

rootpw --iscrypted anything

Which does not work at all for me. I am testing RHEL6.

#3 Updated by Greg Sutcliffe over 4 years ago

The last part of what you say is correct. Since the Setting asks for the encrypted password, I would indeed expect a Setting of "anything" to render as "rootpw --iscrypted anything".

Looking at app/models/concerns/host_common.rb#96 for normal host(group) passwords we test for a $ at the start of the string and encrypt if it's not present. We don't do this at app/models/host/managed.rb#592, so the correct solution is probably to test for a $ in the setting and add a random hash to the start if it's not already there.

In case anyone asks, I don't think it's correct to store either the salt or the unencrypted password in the Settings menu - it's accessible to many levels of user permissions.

#4 Updated by Lukas Zapletal over 4 years ago

  • Status changed from New to Ready For Testing
  • Difficulty set to trivial

https://github.com/theforeman/foreman/pull/944

Would love to see this in 1.3.

#5 Updated by Lukas Zapletal over 4 years ago

  • Related to Tracker #3112: [TRACKER] Issues to be released in 1.3 RC or final added

#6 Updated by Lukas Zapletal over 4 years ago

  • Status changed from Ready For Testing to Closed

Merged as 643e4da

#7 Updated by Lukas Zapletal over 4 years ago

  • Related to deleted (Tracker #3112: [TRACKER] Issues to be released in 1.3 RC or final)

#8 Updated by Lukas Zapletal over 4 years ago

  • Target version changed from 1.3.0 to Sprint 16
  • Release set to 1.4.0
  • Difficulty changed from trivial to easy

Also available in: Atom PDF