nitismis
commented
3 months ago Hi Andrey ! Good to listen from you. Thanks for the suggestion, we will prioritize this in the 3rd quarter of 2024. I will look into this.
Open aklyachkin opened 3 months ago
nitismis
commented
3 months ago Hi Andrey ! Good to listen from you. Thanks for the suggestion, we will prioritize this in the 3rd quarter of 2024. I will look into this.
schamola
commented
2 months ago Hi @aklyachkin ,
We confirmed with AIX security team: SHA256 and SHA512 are implemented in OpenSSL. Running 'openssl list -digest-algorithms' command, will list the supported algorithms.
aklyachkin
commented
2 months ago @schamola
this is the output from AIX 7.3 TL2 SP2 with OpenSSL 3.0.10.1002:
# openssl list -digest-algorithms
Legacy:
RSA-MD4 => MD4
RSA-MD5 => MD5
RSA-MDC2 => MDC2
RSA-RIPEMD160 => RIPEMD160
RSA-SHA1 => SHA1
RSA-SHA1-2 => RSA-SHA1
RSA-SHA224 => SHA224
RSA-SHA256 => SHA256
RSA-SHA3-224 => SHA3-224
RSA-SHA3-256 => SHA3-256
RSA-SHA3-384 => SHA3-384
RSA-SHA3-512 => SHA3-512
RSA-SHA384 => SHA384
RSA-SHA512 => SHA512
RSA-SHA512/224 => SHA512-224
RSA-SHA512/256 => SHA512-256
RSA-SM3 => SM3
BLAKE2b512
BLAKE2s256
id-rsassa-pkcs1-v1_5-with-sha3-224 => SHA3-224
id-rsassa-pkcs1-v1_5-with-sha3-256 => SHA3-256
id-rsassa-pkcs1-v1_5-with-sha3-384 => SHA3-384
id-rsassa-pkcs1-v1_5-with-sha3-512 => SHA3-512
MD4
md4WithRSAEncryption => MD4
MD5
MD5-SHA1
md5WithRSAEncryption => MD5
MDC2
mdc2WithRSA => MDC2
ripemd => RIPEMD160
RIPEMD160
ripemd160WithRSA => RIPEMD160
rmd160 => RIPEMD160
SHA1
sha1WithRSAEncryption => SHA1
SHA224
sha224WithRSAEncryption => SHA224
SHA256
sha256WithRSAEncryption => SHA256
SHA3-224
SHA3-256
SHA3-384
SHA3-512
SHA384
sha384WithRSAEncryption => SHA384
SHA512
SHA512-224
sha512-224WithRSAEncryption => SHA512-224
SHA512-256
sha512-256WithRSAEncryption => SHA512-256
sha512WithRSAEncryption => SHA512
SHAKE128
SHAKE256
SM3
sm3WithRSAEncryption => SM3
ssl3-md5 => MD5
ssl3-sha1 => SHA1
whirlpool
Provided:
{ 1.3.6.1.4.1.1722.12.2.2.8, BLAKE2S-256, BLAKE2s256 } @ default
{ 1.2.156.10197.1.401, SM3 } @ default
{ 2.16.840.1.101.3.4.2.8, SHA3-256 } @ default
{ 2.16.840.1.101.3.4.2.7, SHA3-224 } @ default
{ 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ default
{ 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ default
{ 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ default
{ 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ default
{ 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ default
{ 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ default
{ 2.16.840.1.101.3.4.2.10, SHA3-512 } @ default
{ 2.16.840.1.101.3.4.2.9, SHA3-384 } @ default
NULL @ default
{ 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ default
MD5-SHA1 @ default
{ 1.3.36.3.2.1, RIPEMD, RIPEMD-160, RIPEMD160, RMD160 } @ default
{ 1.2.840.113549.2.5, MD5, SSL3-MD5 } @ default
{ 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ default
{ 1.3.6.1.4.1.1722.12.2.1.16, BLAKE2B-512, BLAKE2b512 } @ default
{ 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @ default
{ KECCAK-KMAC-128, KECCAK-KMAC128 } @ default
{ KECCAK-KMAC-256, KECCAK-KMAC256 } @ default@aklyachkin
SHA256 and SHA512 are supported, blowfish is not (being a weak cipher)
These commands can be used :
For SHA256 - openssl passwd -5 {{ password }}
For SHA512 - openssl passwd -6 {{ password }}
You can see this documentation for more information : https://www.openssl.org/docs/man3.0/man1/openssl-passwd.html
aklyachkin
commented
2 months ago @schamola
Then I must repeat one more time - these algorithms are not AIX-compatible - see my first message.
# openssl passwd -5 abc123
$5$lwYpVAaZesAfXwVx$7oletUGySVEHE2N9VTeh2xA66pQWpmAt6RwSeZtUpcA
# grep -p test /etc/security/passwd
test:
password = {ssha256}$5$lwYpVAaZesAfXwVx$7oletUGySVEHE2N9VTeh2xA66pQWpmAt6RwSeZtUpcA
# tail -2 /var/log/auth.log
Jul 22 11:41:47 server auth|security:info syslog: ssh: failed login attempt for test from X.X.X.X@aklyachkin In order to make them AIX compatible, the below AIX Web Download Pack needs to be downloaded and installed.. Post this, the steps followed above will work: https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=pwmod
I've tried it on my system and It's working:
On terminal 1:
Before changing the password, contents of /etc/security/passwd file:
test_user1: password = $5$MdvJluA05ToECSHB$dXZNKb9VrtA.qVtvYfPJKU6Fd1ogAWcF5ThcAKp3lO2 lastupdate = 1721719479
# openssl passwd -5 xyz123 $5$9jQYtNZRVlCdvFpU$Lrs2qUVPjNlpcGKIUJP6gqPMT58drB/uRpFodegpmM/
Post updating the password file:
# cat passwd | grep -p test_user1 test_user1: password = $5$9jQYtNZRVlCdvFpU$Lrs2qUVPjNlpcGKIUJP6gqPMT58drB/uRpFodegpmM/ lastupdate = 1721719479
On terminal 2:
ssh test_user1@------------------- test_user1@----------------------s password: .. .. ..
$ ifconfig usage: ifconfig -a [ -d ] [ -u ] [ af ] ifconfig -l [ -d ] [ -u ] ifconfig interface [ af [ address [ dest_addr ] ] [ netmask mask ] [ broadcast addr ] [ alias ] [ delete ] ] [ up ] [ down ] [ detach ] [ af first[alias] address [ ... ] ] [ site6 site_number ] [ metric n ] [ mtu n ] [ arp | -arp ] [ link0 | -link0 ] [ link1 | -link1 ] [ link2 | -link2 ] [ tcp_low_rto n | -tcp_low_rto ] [ inet6 scope n zone n ] ifconfig tap_interface [ create | destroy ] $
` I'm able to log in and get to the prompt
schamola
commented
2 months ago @aklyachkin
We tested using Ansible's builtin password_hash filter on our environment after downloading and installing the Web download pack, and it is working fine for us.
The mentioned package contains AIX Loadable Password Algorithm (LPA), which allows the system to recognise SHA-512 and SHA-256 passwords generated using the Linux-style hashing method.
Can you please verify if this is working as expected in your Ansible setup ?
Tasks and outputs from our environment
Task:
- name: Create AIX user
ibm.power_aix.user:
name: test_user1
password: "{{ password | password_hash('sha512') }}"
state: presentAnsible's output:
changed: [root@-----------------------] => {
"changed": true,
"invocation": {
"module_args": {
"attributes": null,
"change_passwd_on_login": false,
"load_module": "files",
"name": "test_user1",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"remove_homedir": true,
"state": "present"
}
},
"msg": "Username is created SUCCESSFULLY: test_user1\nPassword is set successfully for the user: test_user1"
}Attempting to log into the system with the provided password:
schamola@mymachine % ssh test_user1@---------------------
test_user1@---------------------'s password:
*******************************************************************************
* *
* *
* Welcome to AIX Version 7.3! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
$ what /proc/version
/proc/version:
_kdb_buildinfo unix_64 Apr 25 2023 10:32:22 2317A_73D
$ @aklyachkin, a gentle reminder to verify the aforementioned process in your environment. It seems that it is a known issue and security team has already provided the fix.
aklyachkin
commented
2 months ago @nitismis sorry for the delay with the answer. I can accept it as a workaround. Sorry I didn't test it before and didn't write about it, because it is used by none of the customers I know. I accept that it works and thank you for the confirmation. Again - it is very good and usable workaround I forgot about.
Stiil I'd insist on using AIX original algorithms. AIX original algorithms are enabled by default in AIX 7.3 and delivered since AIX 5.3 TL9 afair. The Linux-compatible LPA module is delivered over AIX Webpack and is not part of the official distribution. IMNSHO it is not really purposeful to require that all customers who want to create users with Ansible must migrate to this module.
But it is your decision how to prioritise the feature and when to deliver it.
For those who'd find the issue with Google or interested on the workaround there is IBM Support's article about it: https://www.ibm.com/support/pages/aix-making-sha-256-and-sha-512-passwords-compatible-other-oss
nitismis
commented
2 months ago @aklyachkin, I get your point and yes it's a workaround. I will discuss this with team and update you.
nitismis
commented
2 weeks ago We have informed this to security team and they will come up with the solution in AIX base itself. Holding this enhancement for now from ansible perspective. However, if someone wants to use the LPA module they can write task in their playbook to download and install the module.
Is your feature request related to a problem? Please describe. Standard Ansible distribution includes filter to encrypt passwords - password_hash with some password hash algorithms like md5, blowfish, sha256 and sha512. All of them are Linux specific and don't work on AIX.
Describe the solution you'd like Include AIX specific password_hash filter with AIX encryption algorithms.
Something like:
Describe alternatives you've considered As for now there is only one alternative. It is to use openssl command to generate AIX-compatible MD5 hashes:
AIX-specific Blowfish, SHA256 and SHA512 are not implemented in OpenSSL and there are no tools available to encrypt passwords.