Project

General

Profile

Actions

Bug #8627

closed

Bug #8593: UserManagement need to have hashed password for both Linux and AIX

Create UserManagement v7 with a variable for AIX passwords

Added by François ARMAND over 8 years ago. Updated over 8 years ago.

Status:
Released
Priority:
N/A
Category:
Techniques
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

We need to create a v7 of UserManagement to handle the AIX case.

The idea described in parent issue #8593 is to have a new variable in metadata.xml, USERGROUP_USER_PASSWORD_AIX, with the password hashed in the correct format for /etc/security/passwd
The variable need to be invisible for the user when he edits a userManagement directive: Rudder will automatically pass the user input for field USERGROUP_USER_PASSWORD.

Then, the cfengine code need to be adapted to edit the corrects files for AIX with the content of that variable.

The metadata will use two new input type, built for that case: masterPassword and slavePassword:aix. It will also need to tell masterPassword that it manages slavePassword inputs like that:

      <SECTION name="Password" component="true" componentKey="USERGROUP_USER_LOGIN">
        <INPUT>
          <NAME>USERGROUP_USER_PASSWORD</NAME>
          <DESCRIPTION>Password for this account</DESCRIPTION>
          <CONSTRAINT>
            <MAYBEEMPTY>true</MAYBEEMPTY>
            <TYPE>masterPassword</TYPE>
            <PASSWORDHASH>linux-shadow-md5,linux-shadow-sha256,linux-shadow-sha512,plain</PASSWORDHASH>
            <!-- 
             Tell that master password must create other variables derived from the user input from
             that one. The accepted values for now are "aix" and "linux" (or both, comma separated). 
             The derived variable name will the current name postfixed with _AIX (or _LINUX)

             A correspondance is made between hash algo listed above and the matching one on target OS:
             Linux md5 crypt is mapped to AIX "smd5" version, Linux Sha-Crypt-256 is
             mapped to AIX ssha256, and Linux Sha-Crypt-512 to AIX ssha512.
             AIX ssha256 and ssha512 need the JCE PBKDF2WithHmacSHA256 / PBKDF2WithHmacSHA512.
             They are provided on Oracle Java 8 JVM standard installation, but NOT in
             Java 7 and some other vendor versions.
             In case these algo are not available, a fallback to AIX ssha1 (which uses
             PBKDF2WithHmacSHA1) will be done. This hash scheme is also quite robust, but
             if you want maximum security, you must use for Rudder a JVM which provides the higher
             level algo, like Open JDK 8
             --!>
            <AUTOSUBVARIABLES>AIX</AUTOSUBVARIABLES>
          </CONSTRAINT>
        </INPUT>
      </SECTION>

Subtasks 1 (0 open1 closed)

Bug #8708: Missing entry in list of maintained technique after creating usermanagement v7ReleasedAlexis Mousset2016-07-19Actions

Related issues 2 (0 open2 closed)

Related to Rudder - User story #8691: Add bodies to manage AIX password filesReleasedBenoît PECCATTEActions
Has duplicate Rudder - Bug #6963: The user creation technique doesn't work on AIXRejectedBenoît PECCATTEActions
Actions #1

Updated by Jonathan CLARKE over 8 years ago

  • Has duplicate Bug #6963: The user creation technique doesn't work on AIX added
Actions #2

Updated by François ARMAND over 8 years ago

  • Assignee set to Nicolas CHARLES
Actions #3

Updated by François ARMAND over 8 years ago

  • Description updated (diff)
Actions #4

Updated by Nicolas CHARLES over 8 years ago

  • Status changed from New to In progress
Actions #5

Updated by Nicolas CHARLES over 8 years ago

Actions #6

Updated by Nicolas CHARLES over 8 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Nicolas CHARLES to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/991/files
Actions #7

Updated by Nicolas CHARLES over 8 years ago

  • Assignee changed from Benoît PECCATTE to Alexis Mousset
Actions #8

Updated by Nicolas CHARLES over 8 years ago

  • Assignee changed from Alexis Mousset to Benoît PECCATTE
Actions #9

Updated by Nicolas CHARLES over 8 years ago

  • Assignee changed from Benoît PECCATTE to Alexis Mousset
Actions #10

Updated by François ARMAND over 8 years ago

  • Description updated (diff)
  • Assignee changed from Alexis Mousset to Benoît PECCATTE
Actions #11

Updated by François ARMAND over 8 years ago

  • Assignee changed from Benoît PECCATTE to Alexis Mousset
Actions #12

Updated by François ARMAND over 8 years ago

Updated the name of the password property dependence from DERIVE to AUTOSUBVARIABLES

Actions #13

Updated by Nicolas CHARLES over 8 years ago

  • Assignee changed from Alexis Mousset to Benoît PECCATTE
Actions #14

Updated by Nicolas CHARLES over 8 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100
Actions #15

Updated by Alexis Mousset over 8 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.12 and 3.2.5 which were released today.

Actions

Also available in: Atom PDF