[Pkg-freeipa-devel] freeipa: Changes to 'upstream-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Thu Nov 7 10:12:37 UTC 2013
Rebased ref, commits from common ancestor:
commit d261cc751efc7841ef720ceedf0abe07e6f211f6
Author: Martin Kosek <mkosek at redhat.com>
Date: Fri Nov 1 16:31:42 2013 +0100
Become IPA 3.3.3
diff --git a/VERSION b/VERSION
index a20d8bb..2e9a774 100644
--- a/VERSION
+++ b/VERSION
@@ -20,7 +20,7 @@
########################################################
IPA_VERSION_MAJOR=3
IPA_VERSION_MINOR=3
-IPA_VERSION_RELEASE=2
+IPA_VERSION_RELEASE=3
########################################################
# For 'pre' releases the version will be #
commit ddfc34f4bf8a0d5a018481f3662523f95beddd7a
Author: Tomas Babej <tbabej at redhat.com>
Date: Fri Nov 1 13:59:16 2013 +0100
ipatests: test_trust: use domain name instead of realm for user lookups
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index c516730..68fc028 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -86,7 +86,8 @@ class TestBasicADTrust(ADTrustBase):
def test_user_gid_uid_resolution_in_nonposix_trust(self):
"""Check that user has SID-generated UID"""
- testuser = 'testuser@%s' % self.ad.domain.realm
+ # Using domain name since it is lowercased realm name for AD domains
+ testuser = 'testuser@%s' % self.ad.domain.name
result = self.master.run_command(['getent', 'passwd', testuser])
# This regex checks that Test User does not have UID 10042 nor belongs
@@ -124,7 +125,8 @@ class TestPosixADTrust(ADTrustBase):
def test_user_uid_gid_resolution_in_posix_trust(self):
# Check that user has AD-defined UID
- testuser = 'testuser@%s' % self.ad.domain.realm
+ # Using domain name since it is lowercased realm name for AD domains
+ testuser = 'testuser@%s' % self.ad.domain.name
result = self.master.run_command(['getent', 'passwd', testuser])
testuser_stdout = "testuser@%s:*:10042:10047:"\
@@ -136,7 +138,8 @@ class TestPosixADTrust(ADTrustBase):
def test_user_without_posix_attributes_not_visible(self):
# Check that user has AD-defined UID
- nonposixuser = 'nonposixuser@%s' % self.ad.domain.realm
+ # Using domain name since it is lowercased realm name for AD domains
+ nonposixuser = 'nonposixuser@%s' % self.ad.domain.name
result = self.master.run_command(['getent', 'passwd', nonposixuser],
raiseonerr=False)
commit 13a0f8694c55114f5ff224aa69bc28492419ebb1
Author: Tomas Babej <tbabej at redhat.com>
Date: Fri Nov 1 13:57:18 2013 +0100
ipatests: Add integration tests for legacy clients
Part of: https://fedorahosted.org/freeipa/ticket/3833
diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py
new file mode 100644
index 0000000..72b7ff4
--- /dev/null
+++ b/ipatests/test_integration/test_legacy_clients.py
@@ -0,0 +1,261 @@
+# Authors:
+# Tomas Babej <tbabej at redhat.com>
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import re
+
+import nose
+
+from ipatests.test_integration import tasks
+
+# importing test_trust under different name to avoid nose executing the test
+# base class imported from this module
+from ipatests.test_integration import test_trust as trust_tests
+
+
+class BaseTestLegacyClient(trust_tests.TestEnforcedPosixADTrust):
+ """
+ Tests legacy client support.
+ """
+
+ advice_id = None
+ backup_files = ['/etc/sysconfig/authconfig',
+ '/etc/pam.d',
+ '/etc/openldap/cacerts',
+ '/etc/openldap/ldap.conf',
+ '/etc/nsswitch.conf',
+ '/etc/sssd/sssd.conf']
+
+ @classmethod
+ def setup_class(cls):
+ super(BaseTestLegacyClient, cls).setup_class()
+ cls.ad = cls.ad_domains[0].ads[0]
+
+ cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0])
+ tasks.apply_common_fixes(cls.legacy_client)
+
+ for f in cls.backup_files:
+ tasks.backup_file(cls.legacy_client, f)
+
+ def test_remove_trust_with_posix_attributes(self):
+ pass
+
+ def test_apply_advice(self):
+ # Obtain the advice from the server
+ tasks.kinit_admin(self.master)
+ result = self.master.run_command(['ipa-advise', self.advice_id])
+ advice = result.stdout_text
+
+ # Apply the advice on the legacy client
+ advice_path = os.path.join(self.legacy_client.config.test_dir,
+ 'advice.sh')
+ self.legacy_client.put_file_contents(advice_path, advice)
+ result = self.legacy_client.run_command(['bash', '-x', '-e',
+ advice_path])
+
+ # Restart SSHD to load new PAM configuration
+ self.legacy_client.run_command(['/sbin/service', 'sshd', 'restart'])
+
+ def clear_sssd_caches(self):
+ tasks.clear_sssd_cache(self.master)
+ tasks.clear_sssd_cache(self.legacy_client)
+
+ def test_getent_ipa_user(self):
+ self.clear_sssd_caches()
+ result = self.legacy_client.run_command(['getent', 'passwd', 'admin'])
+
+ admin_regex = "^admin:\*:(\d+):(\d+):"\
+ "Administrator:/home/admin:/bin/bash$"
+
+ assert re.search(admin_regex, result.stdout_text)
+
+ def test_getent_ipa_group(self):
+ self.clear_sssd_caches()
+ result = self.legacy_client.run_command(['getent', 'group', 'admins'])
+
+ admin_group_regex = "^admins:\*:(\d+):admin"
+
+ assert re.search(admin_group_regex, result.stdout_text)
+
+ def test_id_ipa_user(self):
+ self.clear_sssd_caches()
+ result = self.legacy_client.run_command(['id', 'admin'])
+
+ uid_regex = "uid=(\d+)\(admin\)"
+ gid_regex = "gid=(\d+)\(admins\)"
+ groups_regex = "groups=(\d+)\(admins\)"
+
+ assert re.search(uid_regex, result.stdout_text)
+ assert re.search(gid_regex, result.stdout_text)
+ assert re.search(groups_regex, result.stdout_text)
+
+ def test_getent_ad_user(self):
+ self.clear_sssd_caches()
+ testuser = 'testuser@%s' % self.ad.domain.name
+ result = self.legacy_client.run_command(['getent', 'passwd', testuser])
+
+ testuser_stdout = "testuser@%s:*:10042:10047:"\
+ "Test User:/home/testuser:/bin/sh"\
+ % self.ad.domain.name
+
+ assert testuser_stdout in result.stdout_text
+
+ def test_getent_ad_group(self):
+ self.clear_sssd_caches()
+ testgroup = 'test group@%s' % self.ad.domain.name
+ result = self.legacy_client.run_command(['getent', 'group', testgroup])
+
+ testgroup_stdout = "%s:\*:10047:" % testgroup
+ assert re.search(testgroup_stdout, result.stdout_text)
+
+ def test_id_ad_user(self):
+ self.clear_sssd_caches()
+ testuser = 'testuser@%s' % self.ad.domain.name
+ testgroup = 'test group@%s' % self.ad.domain.name
+
+ result = self.legacy_client.run_command(['id', testuser])
+
+ uid_regex = "uid=10042\(%s\)" % testuser
+ gid_regex = "gid=10047\(%s\)" % testgroup
+ groups_regex = "groups=10047\(%s\)" % testgroup
+
+ assert re.search(uid_regex, result.stdout_text)
+ assert re.search(gid_regex, result.stdout_text)
+ assert re.search(groups_regex, result.stdout_text)
+
+ def test_login_ipa_user(self):
+ if not self.master.transport.file_exists('/usr/bin/sshpass'):
+ raise nose.SkipTest('Package sshpass not available on %s'
+ % self.master.hostname)
+
+ result = self.master.run_command(
+ 'sshpass -p %s '
+ 'ssh '
+ '-o StrictHostKeyChecking=no '
+ '-l admin '
+ '%s '
+ '"echo test"' %
+ (self.legacy_client.config.admin_password,
+ self.legacy_client.external_hostname))
+
+ assert "test" in result.stdout_text
+
+ def test_login_ad_user(self):
+ if not self.master.transport.file_exists('/usr/bin/sshpass'):
+ raise nose.SkipTest('Package sshpass not available on %s'
+ % self.master.hostname)
+
+ testuser = 'testuser@%s' % self.ad.domain.name
+ result = self.master.run_command(
+ 'sshpass -p Secret123 '
+ 'ssh '
+ '-o StrictHostKeyChecking=no '
+ '-l %s '
+ '%s '
+ '"echo test"' %
+ (testuser, self.legacy_client.external_hostname))
+
+ assert "test" in result.stdout_text
+
+ def test_login_disabled_ipa_user(self):
+ if not self.master.transport.file_exists('/usr/bin/sshpass'):
+ raise nose.SkipTest('Package sshpass not available on %s'
+ % self.master.hostname)
+
+ self.clear_sssd_caches()
+
+ result = self.master.run_command(
+ 'sshpass -p %s '
+ 'ssh '
+ '-o StrictHostKeyChecking=no '
+ '-l disabledipauser '
+ '%s '
+ '"echo test"'
+ % (self.legacy_client.config.admin_password,
+ self.legacy_client.external_hostname),
+ raiseonerr=False)
+
+ assert result.returncode != 0
+
+ def test_login_disabled_ad_user(self):
+ if not self.master.transport.file_exists('/usr/bin/sshpass'):
+ raise nose.SkipTest('Package sshpass not available on %s'
+ % self.master.hostname)
+
+ testuser = 'disabledaduser@%s' % self.ad.domain.name
+ result = self.master.run_command(
+ 'sshpass -p Secret123 '
+ 'ssh '
+ '-o StrictHostKeyChecking=no '
+ '-l %s '
+ '%s '
+ '"echo test"' %
+ (testuser, self.legacy_client.external_hostname),
+ raiseonerr=False)
+
+ assert result.returncode != 0
+
+ @classmethod
+ def install(cls):
+ super(BaseTestLegacyClient, cls).install()
+
+ password_confirmation = (
+ cls.master.config.admin_password +
+ '\n' +
+ cls.master.config.admin_password
+ )
+
+ cls.master.run_command(['ipa', 'user-add', 'disabledipauser',
+ '--first', 'disabled',
+ '--last', 'ipauser',
+ '--password'],
+ stdin_text=password_confirmation)
+
+ cls.master.run_command(['ipa', 'user-disable', 'disabledipauser'])
+
+ @classmethod
+ def uninstall(cls):
+ cls.master.run_command(['ipa', 'user-del', 'disabledipauser'],
+ raiseonerr=False)
+ tasks.unapply_fixes(cls.legacy_client)
+ super(BaseTestLegacyClient, cls).uninstall()
+
+
+class TestLegacySSSDBefore19RedHat(BaseTestLegacyClient):
+
+ advice_id = 'config-redhat-sssd-before-1-9'
+ required_extra_roles = ['legacy_client_sssd_redhat']
+
+
+class TestLegacyNssPamLdapdRedHat(BaseTestLegacyClient):
+
+ advice_id = 'config-redhat-nss-pam-ldapd'
+ required_extra_roles = ['legacy_client_nss_pam_ldapd_redhat']
+
+ def clear_sssd_caches(self):
+ tasks.clear_sssd_cache(self.master)
+
+
+class TestLegacyNssLdapRedHat(BaseTestLegacyClient):
+
+ advice_id = 'config-redhat-nss-ldap'
+ required_extra_roles = ['legacy_client_nss_ldap_redhat']
+
+ def clear_sssd_caches(self):
+ tasks.clear_sssd_cache(self.master)
commit 33ea1496572aa2f8545b853cc2b3bb4e3d5cc967
Author: Tomas Babej <tbabej at redhat.com>
Date: Wed Oct 30 10:08:08 2013 +0100
ipatests: Use command -v instead of which in legacy client advice
Part of: https://fedorahosted.org/freeipa/ticket/3833
diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
index 1e076bf..6d17f7e 100644
--- a/ipaserver/advise/plugins/legacy_clients.py
+++ b/ipaserver/advise/plugins/legacy_clients.py
@@ -52,7 +52,7 @@ class config_base_legacy_client(Advice):
'/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
self.log.comment('Generate hashes for the openldap library')
- self.log.command('which cacertdir_rehash')
+ self.log.command('command -v cacertdir_rehash')
self.log.command('if [ $? -ne 0 ] ; then')
self.log.command(' wget "%s" -O cacertdir_rehash ;' % cacertdir_rehash)
self.log.command(' chmod 755 ./cacertdir_rehash ;')
@@ -362,7 +362,7 @@ class config_redhat_nss_ldap(config_base_legacy_client):
self.log.comment('Install required packages via yum')
self.log.command('yum install -y wget openssl nss_ldap '
- 'authconfig which\n')
+ 'authconfig\n')
self.configure_ca_cert()
commit 6aed1c61abd82af521f5009404d0188bb1424659
Author: Martin Kosek <mkosek at redhat.com>
Date: Fri Nov 1 09:25:33 2013 +0100
Remove deprecated AllowLMhash config
Remove this ipaConfigString value as LM hash is deprecated and in
fact even insecure.
https://fedorahosted.org/freeipa/ticket/3795
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 69783f1..ce617fe 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -1,5 +1,5 @@
dn: cn=ipaConfig,cn=etc,$SUFFIX
add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
-
add:ipaUserObjectClasses: ipasshuser
+remove:ipaConfigString:AllowLMhash
commit 88f52302f95e01deec14f3590f0a7a17f7324e33
Author: Sumit Bose <sbose at redhat.com>
Date: Tue Oct 29 12:19:01 2013 +0100
Remove generation and handling of LM hashes
https://fedorahosted.org/freeipa/ticket/3795
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 59ddcef..674085d 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2637,10 +2637,9 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
char *name;
char *trustpw = NULL;
char *trustpw_utf8 = NULL;
- char *trustpw_utf8_uc = NULL;
char *tmp_str = NULL;
int ret;
- struct ntlm_keys ntlm_keys;
+ uint8_t nt_key[16];
size_t converted_size;
bool res;
char *sid_str;
@@ -2706,23 +2705,13 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
goto done;
}
- if (!push_utf8_talloc(user, &trustpw_utf8_uc, tmp_str, &converted_size)) {
- res = false;
- goto done;
- }
-
- ret = encode_ntlm_keys(trustpw_utf8, trustpw_utf8_uc, true, true,
- &ntlm_keys);
+ ret = encode_nt_key(trustpw_utf8, nt_key);
if (ret != 0) {
res = false;
goto done;
}
- if (!pdb_set_lanman_passwd(user, ntlm_keys.lm, PDB_SET)) {
- res = false;
- goto done;
- }
- if (!pdb_set_nt_passwd(user, ntlm_keys.nt, PDB_SET)) {
+ if (!pdb_set_nt_passwd(user, nt_key, PDB_SET)) {
res = false;
goto done;
}
@@ -2741,10 +2730,6 @@ done:
memset(tmp_str, 0, strlen(tmp_str));
talloc_free(tmp_str);
}
- if (trustpw_utf8_uc != NULL) {
- memset(trustpw_utf8_uc, 0, strlen(trustpw_utf8_uc));
- talloc_free(trustpw_utf8_uc);
- }
return res;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index f0339c4..2538a40 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -366,7 +366,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
slapi_entry_free(config_entry);
/* get the ipa etc/ipaConfig entry */
- config->allow_lm_hash = false;
config->allow_nt_hash = false;
ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
if (ret != LDAP_SUCCESS) {
@@ -376,10 +375,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
tmparray = slapi_entry_attr_get_charray(config_entry,
"ipaConfigString");
for (i = 0; tmparray && tmparray[i]; i++) {
- if (strcasecmp(tmparray[i], "AllowLMhash") == 0) {
- config->allow_lm_hash = true;
- continue;
- }
if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
config->allow_nt_hash = true;
continue;
@@ -928,7 +923,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
Slapi_Value **pwvals = NULL;
struct tm utctime;
char timestr[GENERALIZED_TIME_LENGTH+1];
- char *lm = NULL;
char *nt = NULL;
int is_smb = 0;
int is_ipant = 0;
@@ -965,7 +959,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
ret = ipapwd_gen_hashes(krbcfg, data,
data->password,
is_krb, is_smb, is_ipant,
- &svals, &nt, &lm, &ntvals, &errMesg);
+ &svals, &nt, &ntvals, &errMesg);
if (ret) {
goto free_and_return;
}
@@ -1004,11 +998,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
}
}
- if (lm && is_smb) {
- slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
- "sambaLMPassword", lm);
- }
-
if (nt && is_smb) {
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaNTPassword", nt);
@@ -1069,7 +1058,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
LOG_TRACE("<= result: %d\n", ret);
free_and_return:
- if (lm) slapi_ch_free((void **)&lm);
if (nt) slapi_ch_free((void **)&nt);
if (modtime) slapi_ch_free((void **)&modtime);
slapi_mods_free(&smods);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index a92eaf0..28f164e 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -201,15 +201,13 @@ enc_error:
int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, char *userpw,
int is_krb, int is_smb, int is_ipant, Slapi_Value ***svals,
- char **nthash, char **lmhash, Slapi_Value ***ntvals,
+ char **nthash, Slapi_Value ***ntvals,
char **errMesg)
{
int rc;
- char *userpw_uc = NULL;
*svals = NULL;
*nthash = NULL;
- *lmhash = NULL;
*errMesg = NULL;
if (is_krb) {
@@ -225,40 +223,24 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
}
if (is_smb || is_ipant) {
- char lm[33], nt[33];
- struct ntlm_keys ntlm;
+ char nt[33];
+ uint8_t nt_key[16];
int ret;
- userpw_uc = (char *) slapi_utf8StrToUpper((unsigned char *) userpw);
- if (!userpw_uc) {
- *errMesg = "Failed to generate upper case password\n";
- LOG_FATAL("%s", *errMesg);
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
- ret = encode_ntlm_keys(userpw,
- userpw_uc,
- krbcfg->allow_lm_hash,
- krbcfg->allow_nt_hash,
- &ntlm);
- memset(userpw_uc, 0, strlen(userpw_uc));
- slapi_ch_free_string(&userpw_uc);
- if (ret) {
- *errMesg = "Failed to generate NT/LM hashes\n";
- LOG_FATAL("%s", *errMesg);
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
- if (krbcfg->allow_lm_hash) {
- hexbuf(lm, ntlm.lm);
- lm[32] = '\0';
- *lmhash = slapi_ch_strdup(lm);
- }
if (krbcfg->allow_nt_hash) {
- hexbuf(nt, ntlm.nt);
+ ret = encode_nt_key(userpw, nt_key);
+ if (ret) {
+ *errMesg = "Failed to generate NT/LM hashes\n";
+ LOG_FATAL("%s", *errMesg);
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ hexbuf(nt, nt_key);
nt[32] = '\0';
*nthash = slapi_ch_strdup(nt);
+ } else {
+ memset(nt_key, 0, 16);
}
if (is_ipant) {
@@ -269,7 +251,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
goto done;
}
(*ntvals)[0] = slapi_value_new();
- if (slapi_value_set((*ntvals)[0], ntlm.nt, 16) == NULL) {
+ if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) {
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 74b6362..b408748 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -132,7 +132,6 @@ struct ipapwd_krbcfg {
krb5_key_salt_tuple *pref_encsalts;
char **passsync_mgrs;
int num_passsync_mgrs;
- bool allow_lm_hash;
bool allow_nt_hash;
};
@@ -172,7 +171,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, char *userpw,
int is_krb, int is_smb, int is_ipant,
- Slapi_Value ***svals, char **nthash, char **lmhash,
+ Slapi_Value ***svals, char **nthash,
Slapi_Value ***ntvals, char **errMesg);
/* from prepost.c */
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 64a9d31..ef37b5e 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -325,13 +325,12 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
Slapi_Value **svals = NULL;
Slapi_Value **ntvals = NULL;
char *nt = NULL;
- char *lm = NULL;
pwdop->is_krb = is_krb;
rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata,
userpw, is_krb, is_smb, is_ipant,
- &svals, &nt, &lm, &ntvals, &errMesg);
+ &svals, &nt, &ntvals, &errMesg);
if (rc != LDAP_SUCCESS) {
goto done;
}
@@ -349,11 +348,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
ipapwd_free_slapi_value_array(&svals);
}
- if (lm && is_smb) {
- /* set value */
- slapi_entry_attr_set_charptr(e, "sambaLMPassword", lm);
- slapi_ch_free_string(&lm);
- }
if (nt && is_smb) {
/* set value */
slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
@@ -814,11 +808,10 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
Slapi_Value **svals = NULL;
Slapi_Value **ntvals = NULL;
char *nt = NULL;
- char *lm = NULL;
rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, unhashedpw,
gen_krb_keys, is_smb, is_ipant,
- &svals, &nt, &lm, &ntvals, &errMesg);
+ &svals, &nt, &ntvals, &errMesg);
if (rc) {
goto done;
}
@@ -830,12 +823,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
ipapwd_free_slapi_value_array(&svals);
}
- if (lm && is_smb) {
- /* replace value */
- slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
- "sambaLMPassword", lm);
- slapi_ch_free_string(&lm);
- }
if (nt && is_smb) {
/* replace value */
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index a6990ca..bc07549 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -74,15 +74,6 @@ int ipapwd_generate_new_history(char *password,
char ***new_pwd_history,
int *new_pwd_hlen);
-struct ntlm_keys {
- uint8_t lm[16];
- uint8_t nt[16];
-};
-
-int encode_ntlm_keys(char *newPasswd,
- char *upperPasswd,
- bool do_lm_hash,
- bool do_nt_hash,
- struct ntlm_keys *keys);
+int encode_nt_key(char *newPasswd, uint8_t *nt_key);
#endif
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
index a3399b5..8ffa666 100644
--- a/util/ipa_pwd_ntlm.c
+++ b/util/ipa_pwd_ntlm.c
@@ -32,178 +32,70 @@
#define KTF_UTF8 "UTF-8"
#define KTF_UCS2 "UCS-2LE"
-static const uint8_t parity_table[128] = {
- 1, 2, 4, 7, 8, 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31,
- 32, 35, 37, 38, 41, 42, 44, 47, 49, 50, 52, 55, 56, 59, 61, 62,
- 64, 67, 69, 70, 73, 74, 76, 79, 81, 82, 84, 87, 88, 91, 93, 94,
- 97, 98,100,103,104,107,109,110,112,115,117,118,121,122,124,127,
- 128,131,133,134,137,138,140,143,145,146,148,151,152,155,157,158,
- 161,162,164,167,168,171,173,174,176,179,181,182,185,186,188,191,
- 193,194,196,199,200,203,205,206,208,211,213,214,217,218,220,223,
- 224,227,229,230,233,234,236,239,241,242,244,247,248,251,253,254
-};
-
-static void lm_shuffle(uint8_t *out, uint8_t *in)
-{
- out[0] = parity_table[in[0]>>1];
- out[1] = parity_table[((in[0]<<6)|(in[1]>>2)) & 0x7F];
- out[2] = parity_table[((in[1]<<5)|(in[2]>>3)) & 0x7F];
- out[3] = parity_table[((in[2]<<4)|(in[3]>>4)) & 0x7F];
- out[4] = parity_table[((in[3]<<3)|(in[4]>>5)) & 0x7F];
- out[5] = parity_table[((in[4]<<2)|(in[5]>>6)) & 0x7F];
- out[6] = parity_table[((in[5]<<1)|(in[6]>>7)) & 0x7F];
- out[7] = parity_table[in[6] & 0x7F];
-}
-
-/* create the lm and nt hashes
+/* create the nt hash
newPassword: the clear text utf8 password
- upperPasswd: upper case version of clear text utf8 password
- do_lm_hash: determine if LM hash is generated
- do_nt_hash: determine if NT hash is generated
- keys[out]: array with generated hashes
+ nt_key[out]: array with generated hash
*/
-int encode_ntlm_keys(char *newPasswd,
- char *upperPasswd,
- bool do_lm_hash,
- bool do_nt_hash,
- struct ntlm_keys *keys)
+int encode_nt_key(char *newPasswd, uint8_t *nt_key)
{
int ret = 0;
+ iconv_t cd;
+ size_t cs, il, ol, sl;
+ char *inc, *outc;
+ char *ucs2Passwd;
+ MD4_CTX md4ctx;
+
+ /* TODO: must store the dos charset somewhere in the directory */
+ cd = iconv_open(KTF_UCS2, KTF_UTF8);
+ if (cd == (iconv_t)(-1)) {
+ ret = -1;
+ goto done;
+ }
- /* do lanman first */
- if (do_lm_hash) {
- iconv_t cd;
- size_t cs, il, ol;
- char *inc, *outc;
- char *asciiPasswd;
- DES_key_schedule schedule;
- DES_cblock deskey;
- DES_cblock magic = "KGS!@#$%";
-
- if (upperPasswd == NULL) {
- ret = -1;
- goto done;
- }
- il = strlen(upperPasswd);
-
- /* TODO: must store the dos charset somewhere in the directory */
- cd = iconv_open(KTF_DOS_CHARSET, KTF_UTF8);
- if (cd == (iconv_t)(-1)) {
- ret = -1;
- goto done;
- }
-
- /* an ascii string can only be smaller than or equal to an utf8 one */
- ol = il;
- if (ol < 14) ol = 14;
- asciiPasswd = calloc(ol+1, 1);
- if (!asciiPasswd) {
- iconv_close(cd);
- ret = -1;
- goto done;
- }
-
- inc = upperPasswd;
- outc = asciiPasswd;
- cs = iconv(cd, &inc, &il, &outc, &ol);
- if (cs == -1) {
- ret = -1;
- free(asciiPasswd);
- iconv_close(cd);
- goto done;
- }
+ il = strlen(newPasswd);
- /* done with these */
+ /* an ucs2 string can be at most double than an utf8 one */
+ sl = ol = (il+1)*2;
+ ucs2Passwd = calloc(ol, 1);
+ if (!ucs2Passwd) {
+ ret = -1;
iconv_close(cd);
-
- /* we are interested only in the first 14 ASCII chars for lanman */
- if (strlen(asciiPasswd) > 14) {
- asciiPasswd[14] = '\0';
- }
-
- /* first half */
- lm_shuffle(deskey, (uint8_t *)asciiPasswd);
-
- DES_set_key_unchecked(&deskey, &schedule);
- DES_ecb_encrypt(&magic, (DES_cblock *)keys->lm,
- &schedule, DES_ENCRYPT);
-
- /* second half */
- lm_shuffle(deskey, (uint8_t *)&asciiPasswd[7]);
-
- DES_set_key_unchecked(&deskey, &schedule);
- DES_ecb_encrypt(&magic, (DES_cblock *)&(keys->lm[8]),
- &schedule, DES_ENCRYPT);
-
- /* done with it */
- free(asciiPasswd);
-
- } else {
- memset(keys->lm, 0, 16);
+ goto done;
}
- if (do_nt_hash) {
- iconv_t cd;
- size_t cs, il, ol, sl;
- char *inc, *outc;
- char *ucs2Passwd;
- MD4_CTX md4ctx;
-
- /* TODO: must store the dos charset somewhere in the directory */
- cd = iconv_open(KTF_UCS2, KTF_UTF8);
- if (cd == (iconv_t)(-1)) {
- ret = -1;
- goto done;
- }
-
- il = strlen(newPasswd);
-
- /* an ucs2 string can be at most double than an utf8 one */
- sl = ol = (il+1)*2;
- ucs2Passwd = calloc(ol, 1);
- if (!ucs2Passwd) {
- ret = -1;
- iconv_close(cd);
- goto done;
- }
-
- inc = newPasswd;
- outc = ucs2Passwd;
- cs = iconv(cd, &inc, &il, &outc, &ol);
- if (cs == -1) {
- ret = -1;
- free(ucs2Passwd);
- iconv_close(cd);
- goto done;
- }
-
- /* done with it */
+ inc = newPasswd;
+ outc = ucs2Passwd;
+ cs = iconv(cd, &inc, &il, &outc, &ol);
+ if (cs == -1) {
+ ret = -1;
+ free(ucs2Passwd);
iconv_close(cd);
+ goto done;
+ }
- /* get the final ucs2 string length */
- sl -= ol;
+ /* done with it */
+ iconv_close(cd);
- ret = MD4_Init(&md4ctx);
- if (ret == 0) {
- ret = -1;
- free(ucs2Passwd);
- goto done;
- }
- ret = MD4_Update(&md4ctx, ucs2Passwd, sl);
- if (ret == 0) {
- ret = -1;
- free(ucs2Passwd);
- goto done;
- }
- ret = MD4_Final(keys->nt, &md4ctx);
- if (ret == 0) {
- ret = -1;
- free(ucs2Passwd);
- goto done;
- }
+ /* get the final ucs2 string length */
+ sl -= ol;
- } else {
- memset(keys->nt, 0, 16);
+ ret = MD4_Init(&md4ctx);
+ if (ret == 0) {
+ ret = -1;
+ free(ucs2Passwd);
+ goto done;
+ }
+ ret = MD4_Update(&md4ctx, ucs2Passwd, sl);
+ if (ret == 0) {
+ ret = -1;
+ free(ucs2Passwd);
+ goto done;
+ }
+ ret = MD4_Final(nt_key, &md4ctx);
+ if (ret == 0) {
+ ret = -1;
+ free(ucs2Passwd);
+ goto done;
}
ret = 0;
commit 34c707e3fe90be09e3cbe5e5439696d946d948d5
Author: Sumit Bose <sbose at redhat.com>
Date: Tue Oct 29 11:37:03 2013 +0100
Remove AllowLMhash from the allowed IPA config strings
Fixes https://fedorahosted.org/freeipa/ticket/3795
diff --git a/API.txt b/API.txt
index 40871f6..605f9ee 100644
--- a/API.txt
+++ b/API.txt
@@ -499,7 +499,7 @@ args: 0,24,3
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False)
option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False)
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index 94e1454..7dea5d1 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -69,7 +69,7 @@ return {
name: 'ipaconfigstring',
$type: 'checkboxes',
options: IPA.create_options([
- 'AllowLMhash', 'AllowNThash',
+ 'AllowNThash',
'KDC:Disable Last Success', 'KDC:Disable Lockout'
])
},
diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 4f28701..2073181 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2278,7 +2278,6 @@
"name": "ipaconfigstring",
"type": "unicode",
"values": [
- "AllowLMhash",
"AllowNThash",
"KDC:Disable Last Success",
"KDC:Disable Lockout"
diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
index bef3cc6..8550e82 100644
--- a/install/ui/test/data/ipa_init_objects.json
+++ b/install/ui/test/data/ipa_init_objects.json
@@ -580,7 +580,6 @@
"name": "ipaconfigstring",
"type": "unicode",
"values": [
- "AllowLMhash",
"AllowNThash",
"KDC:Disable Last Success",
"KDC:Disable Lockout"
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index b9cf050..fbaacb7 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -178,7 +178,7 @@ class config(LDAPObject):
cli_name='ipaconfigstring',
label=_('Password plugin features'),
doc=_('Extra hashes to generate in password plug-in'),
- values=(u'AllowLMhash', u'AllowNThash',
+ values=(u'AllowNThash',
u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
More information about the Pkg-freeipa-devel
mailing list