search

Ericsson / puppet-module-vas

Puppet module to manage DELL Authentication Services previously known as VAS or Quest Authentication Services
Apache License 2.0
4 stars 26 forks source link

No good way to control enctypes #126

Closed tomhur closed 7 years ago

tomhur commented 7 years ago

There is no good way to control enctypes with this modules and the defaults in the templates/vas.conf.erb is quite old. "default_etypes_des = des-cbc-crc" should probably be removed and left to be default value since none is using DES anymore. Instead of arcfour-hmac-md5 the default should probably be something sane like aes256-cts-hmac-sha1-96 so it matches with more modern Active Directory.

The keys that should be changed or deleted are: default_tgs_enctypes = arcfour-hmac-md5 default_tkt_enctypes = arcfour-hmac-md5 default_etypes_des = des-cbc-crc default_etypes = arcfour-hmac-md5

noppe commented 7 years ago

Ok, attempt 1 (ugly) is ready for trying out.. but .. ??! Daheq I try it out ... ?!??

skalmelid commented 7 years ago

Hi Noppe, I am working with the case that is behind Tommy's request. I actually made an attempt myself to fix the module, but no luck (I only changed default_tgs_enctypes but that wasn't enough).

I have a server where I could try it out. Let me know where to get the module. Or zip it up and attach it here. Our storage only support eas-128 at the moment so I will have change that if it is the default values you have changed. Or did you add support for setting arbitrary values in the module?

skalmelid commented 7 years ago

Found it in /proj/puppetenv/noppe_2 !

Looks like it will remove default_etypes_des, which I guess wasn't the intention:

[root@seliius01406 ~]# puppet agent -t --environment=solkalm_rtt1166325 --noop
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for seliius01406.seli.gic.ericsson.se
Info: Applying configuration version 'eselivm0v004l.lmera.ericsson.se'
Notice: /Stage[main]/Vas/File[vas_config]/content: 
--- /etc/opt/quest/vas/vas.conf 2017-10-19 15:48:31.690786737 +0200
+++ /tmp/puppet-file20171020-2889-w226p 2017-10-20 13:33:03.152928032 +0200
@@ -6,10 +6,10 @@

 [libdefaults]
  default_realm = ERICSSON.SE
- default_tgs_enctypes = aes128-cts-hmac-sha1-96
- default_tkt_enctypes = arcfour-hmac-md5
- default_etypes_des = des-cbc-crc
- default_etypes = arcfour-hmac-md5
+  default_tgs_enctypes = aes128-cts-hmac-sha1-96
+  default_tkt_enctypes = aes128-cts-hmac-sha1-96
+  default_etypes = aes128-cts-hmac-sha1-96
+  
  forwardable = true
  renew_lifetime = 604800
noppe commented 7 years ago

Morning,

You coulda found it in github as branch 126 as well :)

Removing default_etypes_des, well, tommy wrote: "default_etypes_des = des-cbc-crc" should probably be removed and left to be default value since none is using DES anymore So I removed it. Now when i think of it, the statement is contradictory. One cannot remove a line and leave it default at the same time. Tommy should have to swim around KA harbor for this. But since you are behind this, please clarify and I'll see if it can be done

2017-10-20 13:36 GMT+02:00 skalmelid notifications@github.com:

Found it in /proj/puppetenv/noppe_2 !

Looks like it will remove default_etypes_des, which I guess wasn't the intention:

[root@seliius01406 ~]# puppet agent -t --environment=solkalm_rtt1166325 --noop Info: Retrieving plugin Info: Loading facts Info: Caching catalog for seliius01406.seli.gic.ericsson.se Info: Applying configuration version 'eselivm0v004l.lmera.ericsson.se' Notice: /Stage[main]/Vas/File[vas_config]/content: --- /etc/opt/quest/vas/vas.conf 2017-10-19 15:48:31.690786737 +0200 +++ /tmp/puppet-file20171020-2889-w226p 2017-10-20 13:33:03.152928032 +0200 @@ -6,10 +6,10 @@

[libdefaults] default_realm = ERICSSON.SE

  • default_tgs_enctypes = aes128-cts-hmac-sha1-96

  • default_tkt_enctypes = arcfour-hmac-md5

  • default_etypes_des = des-cbc-crc

  • default_etypes = arcfour-hmac-md5

  • default_tgs_enctypes = aes128-cts-hmac-sha1-96

  • default_tkt_enctypes = aes128-cts-hmac-sha1-96

  • default_etypes = aes128-cts-hmac-sha1-96

  • forwardable = true renew_lifetime = 604800

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Ericsson/puppet-module-vas/issues/126#issuecomment-338182121, or mute the thread https://github.com/notifications/unsubscribe-auth/ABgui8jKw6CJIJwxhjmo2SQysgEcEostks5suIXBgaJpZM4P7pFC .

skalmelid commented 7 years ago

After talking to Tommy I made my own attempt: https://github.com/Ericsson/puppet-module-vas/pull/128

Please expect some newbie mistakes - it is my first attempt to modify a puppet module and also my first attempt to to do anything at github.

In the long run, we might want to change the default encryption type to aes256-cts-hmac-sha1-96, but for now we want to keep the default as is (arcfour-hmac-md5) and only add the opportunity to modify it.

There seems to be a test framework for the module but I could not get it to run. I tested the module both with and without setting the new parameters and the default values work as expected, as well as setting new values.

vas::vas_conf_libdefaults_tgs_default_enctypes: 'aes128-cts-hmac-sha1-96'
vas::vas_conf_libdefaults_tkt_default_enctypes: 'aes128-cts-hmac-sha1-96'
vas::vas_conf_libdefaults_default_etypes: 'aes128-cts-hmac-sha1-96'
skalmelid commented 7 years ago

I didn't see the point of removing the default_etypes_des from the config files, so I didn't do anything about that.

skalmelid commented 7 years ago

Added another commit to remove default_etypes_des from the config files.

Please have a look.

Phil-Friderici commented 7 years ago

PR got merged, closing this issue. Feel free to reopen if needed.