Project

General

Profile

Actions

Feature #8890

closed

Allow selection of plaintext "encryption" method for root password

Added by William Hefter almost 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
Host creation
Target version:
Difficulty:
trivial
Triaged:
Fixed in Releases:
Found in Releases:

Description

Deployment of Windows servers/clients with Foreman is substantially complicated by the fact that access to the unencrypted root pass inside templates is only possible by exploiting the 'if a password starts with $, leave it alone' mechanism, which means users need to input a root password starting with a $. Windows unattended.xml files require a plaintext or base64-encoded password.

Adding template access to the unencrypted root password by providing a "plaintext" "encryption" option on the host creation page would make Windows deployment much more hassle-free.

I am new to Ruby, but I managed to get something working by modifying the new PasswordCrypt class/service, something like this:

class PasswordCrypt
  ALGORITHMS = {'plaintext' => '', 'MD5' => '$1$', 'SHA256' => '$5$', 'SHA512' => '$6$'}

  def self.passw_crypt(passwd, hash_alg = 'MD5')
    raise Foreman::Exception.new(N_("Unsupported password hash function '%s'"), hash_alg) unless ALGORITHMS.has_key?(hash_alg)

    if hash_alg == 'plaintext'
        return passwd.crypt("#{ALGORITHMS[hash_alg]}#{SecureRandom.base64(6)}")
    else
        return passwd
    end
  end

  def self.grub2_passw_crypt(passw)
    self.passw_crypt(passw, 'MD5')
  end
end

The only apparent required changes are then to some strings in app/controllers/api/v1/operatingsystems_controller.rb, app/controllers/api/v2/operatingsystems_controller.rb and locale files.


Related issues 1 (0 open1 closed)

Related to Foreman - Bug #11715: Base64 encoded Passwords get re-encoded on unattended/built callClosedTom Caspy09/07/2015Actions
Actions

Also available in: Atom PDF