Project

General

Profile

Feature #8890

Allow selection of plaintext "encryption" method for root password

Added by William Hefter over 4 years ago. Updated 12 months ago.

Status:
Closed
Priority:
Normal
Category:
Host creation
Target version:
Difficulty:
trivial
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Deployment of Windows servers/clients with Foreman is substantially complicated by the fact that access to the unencrypted root pass inside templates is only possible by exploiting the 'if a password starts with $, leave it alone' mechanism, which means users need to input a root password starting with a $. Windows unattended.xml files require a plaintext or base64-encoded password.

Adding template access to the unencrypted root password by providing a "plaintext" "encryption" option on the host creation page would make Windows deployment much more hassle-free.

I am new to Ruby, but I managed to get something working by modifying the new PasswordCrypt class/service, something like this:

class PasswordCrypt
  ALGORITHMS = {'plaintext' => '', 'MD5' => '$1$', 'SHA256' => '$5$', 'SHA512' => '$6$'}

  def self.passw_crypt(passwd, hash_alg = 'MD5')
    raise Foreman::Exception.new(N_("Unsupported password hash function '%s'"), hash_alg) unless ALGORITHMS.has_key?(hash_alg)

    if hash_alg == 'plaintext'
        return passwd.crypt("#{ALGORITHMS[hash_alg]}#{SecureRandom.base64(6)}")
    else
        return passwd
    end
  end

  def self.grub2_passw_crypt(passw)
    self.passw_crypt(passw, 'MD5')
  end
end

The only apparent required changes are then to some strings in app/controllers/api/v1/operatingsystems_controller.rb, app/controllers/api/v2/operatingsystems_controller.rb and locale files.


Related issues

Related to Foreman - Bug #11715: Base64 encoded Passwords get re-encoded on unattended/built callClosed2015-09-07

Associated revisions

Revision 331ff165 (diff)
Added by William Hefter about 4 years ago

Fixes #8890 - Allow selection of plaintext "encryption" method for root password

Revision a09b74f0 (diff)
Added by William Hefter about 4 years ago

Fixes #8890 - Allow selection of plaintext "encryption" method for root password

(cherry picked from commit 331ff165939399787022e77ad17778e2ac39c148)

History

#1 Updated by The Foreman Bot over 4 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2083 added
  • Pull request deleted ()

#2 Updated by William Hefter about 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#3 Updated by Dominic Cleal about 4 years ago

  • Assignee set to William Hefter
  • Legacy Backlogs Release (now unused) set to 28

#4 Updated by Dominic Cleal almost 4 years ago

  • Related to Bug #11715: Base64 encoded Passwords get re-encoded on unattended/built call added

Also available in: Atom PDF