Project

General

Profile

Actions

Bug #3241

closed

Default password is not set properly for Red Hats

Added by Lukas Zapletal over 10 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
Web Interface
Target version:
Difficulty:
easy
Triaged:
Fixed in Releases:
Found in Releases:

Description

Steps to reproduce:

1. Install foreman
1. Change default encrypted password in settings to something else like "abcdefg"
1. Provision a RHEL 6.4 host using default kickstart template
1. Do not set any password in the New Host page, make sure it is blank in the form
1. Try to login with "abcdefg"

Does not work. Spoof kickstart and note this:

rootpw --iscrypted dog8code

It looks like we should encrypt the password when saving it into the settings. In the settings table it is stored in cleartext, the host record is set to nil.

Setting to higher priority as new users will hit this.

Actions #1

Updated by Lukas Zapletal over 10 years ago

For me even the default password "123123" does not work. What I see after installation of Foreman 1.3 RC4 is some encrypted text in settings. But it apparently does not work well with Anaconda.

Actions #2

Updated by Lukas Zapletal over 10 years ago

Couple of observations:

Default password set in settings in a clean installation is: xybxa6JUkz63w

When I create a new host with no password set, it renders to this in kickstart:

rootpw --iscrypted xybxa6JUkz63w

I am not sure if this is correct at all, I'd expect $N$salt$hash there. Anyway, it does not work, I cannot login with "123123".

When I try to change default pass in settings to anything, it renders again as:

rootpw --iscrypted anything

Which does not work at all for me. I am testing RHEL6.

Actions #3

Updated by Greg Sutcliffe over 10 years ago

The last part of what you say is correct. Since the Setting asks for the encrypted password, I would indeed expect a Setting of "anything" to render as "rootpw --iscrypted anything".

Looking at app/models/concerns/host_common.rb#96 for normal host(group) passwords we test for a $ at the start of the string and encrypt if it's not present. We don't do this at app/models/host/managed.rb#592, so the correct solution is probably to test for a $ in the setting and add a random hash to the start if it's not already there.

In case anyone asks, I don't think it's correct to store either the salt or the unencrypted password in the Settings menu - it's accessible to many levels of user permissions.

Actions #4

Updated by Lukas Zapletal over 10 years ago

  • Status changed from New to Ready For Testing
  • Difficulty set to trivial

https://github.com/theforeman/foreman/pull/944

Would love to see this in 1.3.

Actions #5

Updated by Lukas Zapletal over 10 years ago

  • Related to Tracker #3112: [TRACKER] Issues to be released in 1.3 RC or final added
Actions #6

Updated by Lukas Zapletal over 10 years ago

  • Status changed from Ready For Testing to Closed

Merged as 643e4da

Actions #7

Updated by Lukas Zapletal over 10 years ago

  • Related to deleted (Tracker #3112: [TRACKER] Issues to be released in 1.3 RC or final)
Actions #8

Updated by Lukas Zapletal over 10 years ago

  • Target version changed from 1.3.0 to 1.15.0
  • translation missing: en.field_release set to 2
  • Difficulty changed from trivial to easy
Actions

Also available in: Atom PDF