Project

General

Profile

Actions
Copy link

Feature #26608

closed

Windows password hashes require 'AdministratorPassword' at the end of passwd string

Added by Si Man over 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Arend Lapere
Category:
Unattended installations
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/7339, https://github.com/theforeman/foreman/pull/7131
Fixed in Releases:
1.24.1, 2.0.0
Found in Releases:
1.21.2
Red Hat JIRA:

Description

Windows OS's that I have tested (2012r2 to 10.1809) require the string "AdministratorPassword" to be appended to the end of the raw password string prior to hashing, which must then be in UTF16LE format. While the hashing method is now included in the latest 1.21.2 release as 'Base-64-Windows' option under Operating System, the additional string is not. Windows (Unattended) Answer files (.xml) encapsulated in provisioning templates (.erb) cannot be processed by the OS unless this string exists at the end of the password when <%= root_pass > is used.

    case hash_alg
    when 'Base64'
      result = Base64.strict_encode64(passwd)
    when 'Base64-Windows'
*      passwd << Base64.strict_encode64("AdministratorPassword")*
      result = Base64.strict_encode64(passwd.encode('utf-16le'))

The attached password_crypt.rb file has an additional line that appends the passwd with the required string.

Templates tested were originally sourced from https://github.com/kireevco/foreman-wimaging/tree/1bd8f0facff80c19a5eccc12c01e8febd00f701e/wimaging and have been customised to my environment.

Files

password_crypt.rb password_crypt.rb 1.29 KB Si Man, 04/17/2019 08:56 AM

Related issues 1 (0 open1 closed)

Related to Foreman - Bug #35946: Windows password-encryption code changes input-valueClosedEric HelmsActions
Actions
Copy link
 #1

Updated by Si Man over 5 years ago

Further testing has shown that the appending of AdministratorPassword does NOT need to be base64 encoded prior to adding to the passwd contents. The following line is enough:

when 'Base64-Windows'
      passwd << "AdministratorPassword" 
      result = Base64.strict_encode64(passwd.encode('utf-16le'))

Also, if a default password is saved in a Host Group it appears to be stored in a hash other than UTF16LE, and the result fails to create a host. Therefore, a password must not be stored in a Host Group and needs to be assigned to a Host upon creation.

Found 2 side-effects of this method however:
1. The build token cannot be successfully retrieved. Unsure why appending the passwd would cause this, but removing the line fixed this issue
2. Cancelling a build results in a password length error, but building or deleting a Host completes OK.

Actions
Copy link
 #2

Updated by Si Man over 5 years ago

  • File deleted (password_crypt.rb)
Actions
Copy link
 #3

Updated by The Foreman Bot about 5 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Arend Lapere
  • Pull request https://github.com/theforeman/foreman/pull/7131 added
Actions
Copy link
 #4

Updated by The Foreman Bot about 5 years ago

  • Fixed in Releases 2.0.0 added
Actions
Copy link
 #5

Updated by Anonymous about 5 years ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #6

Updated by The Foreman Bot almost 5 years ago

  • Pull request https://github.com/theforeman/foreman/pull/7339 added
Actions
Copy link
 #7

Updated by Tomer Brisker almost 5 years ago

  • Fixed in Releases 1.24.1 added
Actions
Copy link
 #8

Updated by Tomer Brisker almost 5 years ago

  • Category set to Unattended installations
Actions
Copy link
 #9

Updated by Markus Bucher almost 2 years ago

  • Related to Bug #35946: Windows password-encryption code changes input-value added
Actions
Copy link

Also available in: Atom PDF