Project

General

Profile

Bug #8627

Updated by François ARMAND over 8 years ago

We need to create a v7 of UserManagement to handle the AIX case.  

 The idea described in parent issue #8593 is to have a new variable in metadata.xml, USERGROUP_USER_PASSWORD_AIX, with the password hashed in the correct format for /etc/security/passwd 
 The variable need to be invisible for the user when he edits a userManagement directive: Rudder will automatically pass the user input for field USERGROUP_USER_PASSWORD. 

 Then, the cfengine code need to be adapted to edit the corrects files for AIX with the content of that variable.  

 The metadata will use two new input type, built for that case: masterPassword and slavePassword:aix. It will also need to tell masterPassword that it manages slavePassword inputs like that:  

 <pre> 
       <SECTION name="Password" component="true" componentKey="USERGROUP_USER_LOGIN"> 
         <INPUT> 
           <NAME>USERGROUP_USER_PASSWORD</NAME> 
           <DESCRIPTION>Password for this account</DESCRIPTION> 
           <CONSTRAINT> 
             <MAYBEEMPTY>true</MAYBEEMPTY> 
             <TYPE>masterPassword</TYPE> 
             <PASSWORDHASH>linux-shadow-md5,linux-shadow-sha256,linux-shadow-sha512,plain</PASSWORDHASH> 
             <!--  
              Tell that master password must create other variables derived from the user input from 
              that one. The accepted values for now are "aix" and "linux" (or both, comma separated).  
              The derived variable name will the current name postfixed with _AIX (or _LINUX) 

              A correspondance is made between hash algo listed above and the matching one on target OS: 
              Linux md5 crypt is mapped to AIX "smd5" version, Linux Sha-Crypt-256 is 
              mapped to AIX ssha256, and Linux Sha-Crypt-512 to AIX ssha512. 
              AIX ssha256 and ssha512 need the JCE PBKDF2WithHmacSHA256 / PBKDF2WithHmacSHA512. 
              They are provided on Oracle Java 8 JVM standard installation, but NOT in 
              Java 7 and some other vendor versions. 
              In case these algo are not available, a fallback to AIX ssha1 (which uses 
              PBKDF2WithHmacSHA1) will be done. This hash scheme is also quite robust, but 
              if you want maximum security, you must use for Rudder a JVM which provides the higher 
              level algo, like Open JDK 8 
              --!> 
             <AUTOSUBVARIABLES>AIX</AUTOSUBVARIABLES> <DERIVE>aix</DERIVE> 
           </CONSTRAINT> 
         </INPUT> 
       </SECTION> 
 </pre>

Back