Project

General

Profile

Actions
Copy link

Bug #8627

closed

Bug #8593: UserManagement need to have hashed password for both Linux and AIX

Create UserManagement v7 with a variable for AIX passwords

Added by François ARMAND over 8 years ago. Updated over 8 years ago.

Status:
Released
Priority:
N/A
Assignee:
Benoît PECCATTE
Category:
Techniques
Target version:
3.1.12
Pull Request:
https://github.com/Normation/rudder-t...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

We need to create a v7 of UserManagement to handle the AIX case.

The idea described in parent issue #8593 is to have a new variable in metadata.xml, USERGROUP_USER_PASSWORD_AIX, with the password hashed in the correct format for /etc/security/passwd
The variable need to be invisible for the user when he edits a userManagement directive: Rudder will automatically pass the user input for field USERGROUP_USER_PASSWORD.

Then, the cfengine code need to be adapted to edit the corrects files for AIX with the content of that variable.

The metadata will use two new input type, built for that case: masterPassword and slavePassword:aix. It will also need to tell masterPassword that it manages slavePassword inputs like that:

      <SECTION name="Password" component="true" componentKey="USERGROUP_USER_LOGIN">
        <INPUT>
          <NAME>USERGROUP_USER_PASSWORD</NAME>
          <DESCRIPTION>Password for this account</DESCRIPTION>
          <CONSTRAINT>
            <MAYBEEMPTY>true</MAYBEEMPTY>
            <TYPE>masterPassword</TYPE>
            <PASSWORDHASH>linux-shadow-md5,linux-shadow-sha256,linux-shadow-sha512,plain</PASSWORDHASH>
            <!-- 
             Tell that master password must create other variables derived from the user input from
             that one. The accepted values for now are "aix" and "linux" (or both, comma separated). 
             The derived variable name will the current name postfixed with _AIX (or _LINUX)

             A correspondance is made between hash algo listed above and the matching one on target OS:
             Linux md5 crypt is mapped to AIX "smd5" version, Linux Sha-Crypt-256 is
             mapped to AIX ssha256, and Linux Sha-Crypt-512 to AIX ssha512.
             AIX ssha256 and ssha512 need the JCE PBKDF2WithHmacSHA256 / PBKDF2WithHmacSHA512.
             They are provided on Oracle Java 8 JVM standard installation, but NOT in
             Java 7 and some other vendor versions.
             In case these algo are not available, a fallback to AIX ssha1 (which uses
             PBKDF2WithHmacSHA1) will be done. This hash scheme is also quite robust, but
             if you want maximum security, you must use for Rudder a JVM which provides the higher
             level algo, like Open JDK 8
             --!>
            <AUTOSUBVARIABLES>AIX</AUTOSUBVARIABLES>
          </CONSTRAINT>
        </INPUT>
      </SECTION>

Subtasks 1 (0 open1 closed)

Bug #8708: Missing entry in list of maintained technique after creating usermanagement v7ReleasedAlexis Mousset2016-07-19Actions

Related issues 2 (0 open2 closed)

Related to Rudder - User story #8691: Add bodies to manage AIX password filesReleasedBenoît PECCATTEActions
Has duplicate Rudder - Bug #6963: The user creation technique doesn't work on AIXRejectedBenoît PECCATTEActions
Actions
Copy link

Also available in: Atom PDF