[Freeipa-devel] [freeipa PR#500][comment] Replace sha1 fingerprints with sha256
URL: https://github.com/freeipa/freeipa/pull/500 Title: #500: Replace sha1 fingerprints with sha256 tiran commented: """ Let's step on the breaks first and do a proper threat analysis. Is it really necessary to drop SHA-1 like a hot potato and go for SHA-256 right now? It still takes a lot of effort to create a SHA-1 collision. It hasn't been shown for certificates yet. * SHA-1 in OTP is fine. OTP uses HMAC and truncated hashes. The attack doesn't apply to HMAC-SHA1. There are also severe compatibility issues. Some commonly used OTP generators do not support SHA1. Before we change OTP, we must make sure that our own OTP generator, Google's OTP generator, and Yubico's OTP generator in all Yubikey's work. (I'm using Yubico Authenticator over NFC). * Is SHA-256 the correct answer? What about SHA-224 or SHA-384 or a totally different approach like SHA3-256? MD5, SHA-1 and SHA-2 have a similar design (Merkle-Damgard construct but different compression function). * Should we replace SHA-1 with SHA-2 in a hard cut or can we safely offer both hashes for a while to go through a proper deprecation cycle? Do users or customers depend on SHA-1 hash values? """ See the full comment at https://github.com/freeipa/freeipa/pull/500#issuecomment-282228908 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#500][comment] Replace sha1 fingerprints with sha256
URL: https://github.com/freeipa/freeipa/pull/500 Title: #500: Replace sha1 fingerprints with sha256 tiran commented: """ Let's step on the breaks first and do a proper threat analysis. Is it really necessary to drop SHA-1 like a hot potato and go for SHA-256 right now? It still takes a lot of effort to create a SHA-1 collision. It hasn't been shown for certificates yet. * SHA-1 in OTP is fine. OTP uses HMAC and truncated hashes. The attack doesn't apply to HMAC-SHA1. There are also severe compatibility issues. Some commonly used OTP generators do not support SHA1. Before we change OTP, we must make sure that our own OTP generator, Google's OTP generator, and Yubico's OTP generator in all Yubikey's work. (I'm using Yubico Authenticator over NFC). * Is SHA-256 the correct answer? What about SHA-224 or SHA-384 or a totally different approach like SHA3-256? MD5, SHA-1 and SHA-2 have a similar design (Merkle-Damgard construct but different compression function). * Should we replace SHA-1 with SHA-2 in a hard cut or can we safely offer both hashes for a while to go through a proper deprecation cycle? Do users or customers depend on SHA-1 hash values? """ See the full comment at https://github.com/freeipa/freeipa/pull/500#issuecomment-282228908 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] MD5 certificate fingerprints removal
On 24.02.2017 08:46, Tomas Krizek wrote: On 02/24/2017 08:34 AM, Standa Laznicka wrote: On 02/24/2017 08:29 AM, Jan Cholasta wrote: On 23.2.2017 19:06, Martin Basti wrote: On 23.02.2017 15:09, Tomas Krizek wrote: On 02/22/2017 01:44 PM, Fraser Tweedale wrote: On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: On 02/22/2017 12:28 AM, Fraser Tweedale wrote: On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: On 02/21/2017 04:24 PM, Tomas Krizek wrote: On 02/21/2017 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: Hello, Since we're trying to make FreeIPA work in FIPS we got to the point where we need to do something with MD5 fingerprints in the cert plugin. Eventually we came to a realization that it'd be best to get rid of them as a whole. These are counted by the framework and are not stored anywhere. Note that alongside with these fingerprints SHA1 fingerprints are also counted and those are there to stay. The question for this ML is, then - is it OK to remove these or would you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a grandpa and I think it should go. I based the values displayed on what certutil displayed at the time (7 years ago). I don't know that anyone uses these fingerprints. The OpenSSL equivalent doesn't include them by default. You may be able to deprecate fingerprints altogether. rob I think it's useful to display the certificate's fingerprint. I'm in favor of removing md5 and adding sha256 instead. Rob, thank you for sharing the information of where the cert fingerprints are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays SHA-256 and SHA1 fingerprints for certificates so I propose going that way too. IMO we should remove MD5 and SHA-1, and add SHA-256. But we should also make no API stability guarantee w.r.t. the fingerprint attributes, i.e. to allow us to move to newer digests in future (and remove broken/no-longer-secure ones). We should advise that if a customer has a hard requirement on a particular digest that they should compute it themselves from the certificate. Cheers, Fraser What is the motivation to remove SHA-1? Are there any attacks besides theoretical ones on SHA-1? Do other libraries already deprecate SHA-1? Come to think of it, I was thinking about SHA-1 signatures (which are completely forbidden in the public PKI nowadays). But for fingerprints it is not so bad (for now). Thanks, Fraser Actually, there's been a practical SHA1 attack just published [1]. Computational complexity was 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years on a single GPU. Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256. [1] - https://shattered.io/ I think we should wait with removal SHA1, don't remove it prematurely. As MD5 is deprecated for very long time, SHA1 is not and we are not using it for any cryptographic operation nor certificates. It is just informational fingerprint. +1 +1, I don't favour the http://new2.fjcdn.com/gifs/Everybody_d72014_61779.gif approach. People will most likely be using the software even years after its upstream release, so I think its best to address these issues sooner rather than later. SHA256 fingerprints should be added even if we decide to keep SHA1 for now. +1 for adding SHA256 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#500][+rejected] Replace sha1 fingerprints with sha256
URL: https://github.com/freeipa/freeipa/pull/500 Title: #500: Replace sha1 fingerprints with sha256 Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#500][closed] Replace sha1 fingerprints with sha256
URL: https://github.com/freeipa/freeipa/pull/500 Author: tomaskrizek Title: #500: Replace sha1 fingerprints with sha256 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/500/head:pr500 git checkout pr500 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#500][comment] Replace sha1 fingerprints with sha256
URL: https://github.com/freeipa/freeipa/pull/500 Title: #500: Replace sha1 fingerprints with sha256 MartinBasti commented: """ https://www.redhat.com/archives/freeipa-devel/2017-February/msg01083.html This was discussed in that thread and resolution is to not remove sha1 @tiran sha256 is already used in some IPA parts so we are closing the circle to have it everywhere, if you want additional fingerprints feel free to open discussion on freeipa-devel """ See the full comment at https://github.com/freeipa/freeipa/pull/500#issuecomment-282239159 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#504][opened] Add SHA256 fingerprints
URL: https://github.com/freeipa/freeipa/pull/504 Author: tomaskrizek Title: #504: Add SHA256 fingerprints Action: opened PR body: """ As discussed on the [devel list](https://www.redhat.com/archives/freeipa-devel/2017-February/msg01095.html), adding SHA256 fingerprints for certs and keeping SHA1 as well. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/504/head:pr504 git checkout pr504 From 690ff813eefec7a16a9c6c330fb005a47efbdb85 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Thu, 23 Feb 2017 17:03:01 +0100 Subject: [PATCH 1/2] Add SHA256 fingerprints for certs https://fedorahosted.org/freeipa/ticket/6701 --- install/ui/src/freeipa/certificate.js | 5 + install/ui/test/data/cert_request.json | 1 + install/ui/test/data/cert_show.json| 1 + install/ui/test/data/service_show.json | 1 + ipaserver/plugins/cert.py | 6 ++ ipaserver/plugins/host.py | 4 ipaserver/plugins/service.py | 6 ++ ipatests/test_xmlrpc/test_host_plugin.py | 1 + ipatests/test_xmlrpc/test_service_plugin.py| 7 +++ ipatests/test_xmlrpc/tracker/host_plugin.py| 1 + ipatests/test_xmlrpc/tracker/service_plugin.py | 4 ++-- 11 files changed, 35 insertions(+), 2 deletions(-) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index b86c6cf..d7a50d7 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -571,6 +571,7 @@ IPA.cert.loader = function(spec) { serial_number: result.serial_number, serial_number_hex: result.serial_number_hex, sha1_fingerprint: result.sha1_fingerprint, +sha256_fingerprint: result.sha256_fingerprint, subject: result.subject, valid_not_after: result.valid_not_after, valid_not_before: result.valid_not_before @@ -1578,6 +1579,9 @@ exp.create_cert_metadata = function() { add_param('sha1_fingerprint', text.get('@i18n:objects.cert.sha1_fingerprint'), text.get('@i18n:objects.cert.sha1_fingerprint')); +add_param('sha256_fingerprint', +text.get('@i18n:objects.cert.sha256_fingerprint'), +text.get('@i18n:objects.cert.sha256_fingerprint')); add_param('certificate', text.get('@i18n:objects.cert.certificate'), text.get('@i18n:objects.cert.certificate')); @@ -1755,6 +1759,7 @@ return { 'valid_not_before', 'valid_not_after', 'sha1_fingerprint', +'sha256_fingerprint', { $type: 'revocation_reason', name: 'revocation_reason' diff --git a/install/ui/test/data/cert_request.json b/install/ui/test/data/cert_request.json index f8d8544..c610830 100644 --- a/install/ui/test/data/cert_request.json +++ b/install/ui/test/data/cert_request.json @@ -8,6 +8,7 @@ "request_id": "1", "serial_number": "1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", +"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC", "valid_not_before": "Wed Oct 13 01:59:32 2010 UTC" diff --git a/install/ui/test/data/cert_show.json b/install/ui/test/data/cert_show.json index 4942e63..6f1e9d3 100644 --- a/install/ui/test/data/cert_show.json +++ b/install/ui/test/data/cert_show.json @@ -7,6 +7,7 @@ "issuer": "CN=Certificate Authority,O=EXAMPLE.COM", "serial_number": "1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", +"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC", "valid_not_before": "Wed Oct 13 01:59:32 2010 UTC" diff --git a/install/ui/test/data/service_show.json b/install/ui/test/data/service_show.json index 213dfff..597f3ad 100644 --- a/install/ui/test/data/service_show.json +++ b/install/ui/test/data/service_show.json @@ -50,6 +50,7 @@ "serial_number": "1", "serial_number_hex": "0x1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", +"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "usercertificate": [
[Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin
URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin MartinBasti commented: """ I left some inline comments, this improves the test but it still misses several features to be tested. You can finish these improvements and it can be pushed and add more improvements in a new PR """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282243835 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints
URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints stlaz commented: """ As discussed about hundred times before, do not touch `install/share/copy-schema-to-ca.py`. """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-282244201 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints
URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints MartinBasti commented: """ Do not touch `install/share/copy-schema-to-ca.py` ever (this will be removed soon from master, just waiting for ACKs) """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-282244496 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin
URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin Akasurde commented: """ @MartinBasti I working on other improvements and will update this PR accordingly. """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282245287 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin
URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin Akasurde commented: """ @MartinBasti I working on other improvements and will update this PR accordingly. """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282245287 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin
URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin Akasurde commented: """ @MartinBasti I am working on other improvements and will update this PR accordingly. - [x] Issuing CA - [ ] Subject - [ ] Issuer - [ ] Serial number - [ ] Serial number (hex) - [ ] Status - [ ] Revoked """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282245287 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#504][synchronized] Add SHA256 fingerprints
URL: https://github.com/freeipa/freeipa/pull/504 Author: tomaskrizek Title: #504: Add SHA256 fingerprints Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/504/head:pr504 git checkout pr504 From 690ff813eefec7a16a9c6c330fb005a47efbdb85 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Thu, 23 Feb 2017 17:03:01 +0100 Subject: [PATCH] Add SHA256 fingerprints for certs https://fedorahosted.org/freeipa/ticket/6701 --- install/ui/src/freeipa/certificate.js | 5 + install/ui/test/data/cert_request.json | 1 + install/ui/test/data/cert_show.json| 1 + install/ui/test/data/service_show.json | 1 + ipaserver/plugins/cert.py | 6 ++ ipaserver/plugins/host.py | 4 ipaserver/plugins/service.py | 6 ++ ipatests/test_xmlrpc/test_host_plugin.py | 1 + ipatests/test_xmlrpc/test_service_plugin.py| 7 +++ ipatests/test_xmlrpc/tracker/host_plugin.py| 1 + ipatests/test_xmlrpc/tracker/service_plugin.py | 4 ++-- 11 files changed, 35 insertions(+), 2 deletions(-) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index b86c6cf..d7a50d7 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -571,6 +571,7 @@ IPA.cert.loader = function(spec) { serial_number: result.serial_number, serial_number_hex: result.serial_number_hex, sha1_fingerprint: result.sha1_fingerprint, +sha256_fingerprint: result.sha256_fingerprint, subject: result.subject, valid_not_after: result.valid_not_after, valid_not_before: result.valid_not_before @@ -1578,6 +1579,9 @@ exp.create_cert_metadata = function() { add_param('sha1_fingerprint', text.get('@i18n:objects.cert.sha1_fingerprint'), text.get('@i18n:objects.cert.sha1_fingerprint')); +add_param('sha256_fingerprint', +text.get('@i18n:objects.cert.sha256_fingerprint'), +text.get('@i18n:objects.cert.sha256_fingerprint')); add_param('certificate', text.get('@i18n:objects.cert.certificate'), text.get('@i18n:objects.cert.certificate')); @@ -1755,6 +1759,7 @@ return { 'valid_not_before', 'valid_not_after', 'sha1_fingerprint', +'sha256_fingerprint', { $type: 'revocation_reason', name: 'revocation_reason' diff --git a/install/ui/test/data/cert_request.json b/install/ui/test/data/cert_request.json index f8d8544..c610830 100644 --- a/install/ui/test/data/cert_request.json +++ b/install/ui/test/data/cert_request.json @@ -8,6 +8,7 @@ "request_id": "1", "serial_number": "1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", +"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC", "valid_not_before": "Wed Oct 13 01:59:32 2010 UTC" diff --git a/install/ui/test/data/cert_show.json b/install/ui/test/data/cert_show.json index 4942e63..6f1e9d3 100644 --- a/install/ui/test/data/cert_show.json +++ b/install/ui/test/data/cert_show.json @@ -7,6 +7,7 @@ "issuer": "CN=Certificate Authority,O=EXAMPLE.COM", "serial_number": "1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", +"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC", "valid_not_before": "Wed Oct 13 01:59:32 2010 UTC" diff --git a/install/ui/test/data/service_show.json b/install/ui/test/data/service_show.json index 213dfff..597f3ad 100644 --- a/install/ui/test/data/service_show.json +++ b/install/ui/test/data/service_show.json @@ -50,6 +50,7 @@ "serial_number": "1", "serial_number_hex": "0x1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", +"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "usercertificate": [ { diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 585a70e..ebf57e1 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -349,6 +3
[Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin
URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin Akasurde commented: """ @MartinBasti I am working on other improvements and will update this PR accordingly. - [ ] Issuing CA - [ ] Subject - [ ] Issuer - [ ] Serial number - [ ] Serial number (hex) - [ ] Status - [ ] Revoked """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282245287 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints
URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints tomaskrizek commented: """ I've dropped the commit that modified the deprecated file. """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-282247242 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin
URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin MartinBasti commented: """ @Akasurde what is your opinion about creating a Tracker class for certificate? """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282247368 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin
URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin Akasurde commented: """ @MartinBasti Will implement tracker class in different PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282251828 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#505][opened] dns: fix `dnsrecord_add` interactive mode
URL: https://github.com/freeipa/freeipa/pull/505 Author: HonzaCholasta Title: #505: dns: fix `dnsrecord_add` interactive mode Action: opened PR body: """ `dnsrecord_add` interactive mode might prompt for value of non-existent arguments `a_part_create_reverse` and `_part_create_reverse`. This happens because `dnsrecord_add` extra flags are incorrectly defined as parts of the respective DNS records. Remove extra flags from DNS record parts to fix the interactive mode on old clients talking to new servers. Skip non-existent arguments in the interactive mode to fix new clients talking to old servers. https://fedorahosted.org/freeipa/ticket/6457 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/505/head:pr505 git checkout pr505 From 3e5ed07888cb523b89b5007b5017fdfbd91c47c0 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 23 Feb 2017 13:21:59 + Subject: [PATCH] dns: fix `dnsrecord_add` interactive mode `dnsrecord_add` interactive mode might prompt for value of non-existent arguments `a_part_create_reverse` and `_part_create_reverse`. This happens because `dnsrecord_add` extra flags are incorrectly defined as parts of the respective DNS records. Remove extra flags from DNS record parts to fix the interactive mode on old clients talking to new servers. Skip non-existent arguments in the interactive mode to fix new clients talking to old servers. https://fedorahosted.org/freeipa/ticket/6457 --- ipaclient/plugins/dns.py | 6 ++ ipaserver/plugins/dns.py | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ipaclient/plugins/dns.py b/ipaclient/plugins/dns.py index 2d3c5e2..f671897 100644 --- a/ipaclient/plugins/dns.py +++ b/ipaclient/plugins/dns.py @@ -73,6 +73,10 @@ def prompt_parts(rrtype, cmd, mod_dnsvalue=None): return user_options for part_id, part in enumerate(rrobj.params()): +name = part_name_format % (rrtype.lower(), part.name) +if name not in cmd.params: +continue + if mod_parts: default = mod_parts[part_id] else: @@ -92,6 +96,8 @@ def prompt_missing_parts(rrtype, cmd, kw, prompt_optional=False): for part in rrobj.params(): name = part_name_format % (rrtype.lower(), part.name) +if name not in cmd.params: +continue if name in kw: continue diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py index 40c9b51..7007928 100644 --- a/ipaserver/plugins/dns.py +++ b/ipaserver/plugins/dns.py @@ -3531,7 +3531,7 @@ def warning_suspicious_relative_name(self, result, *keys, **options): 'dns{}record'.format(param.rrtype.lower()), (Object,), dict( -takes_params=(param.parts or ()) + (param.extra or ()), +takes_params=param.parts or (), ) ) ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][opened] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 From 05b8e70807e182047177472fbdd44bba9445ff1a Mon Sep 17 00:00:00 2001 From: Thorsten Scherf Date: Fri, 24 Feb 2017 10:59:09 +0100 Subject: [PATCH] added ssl verification --- ipaserver/secrets/client.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py index a945e01..3c7a055 100644 --- a/ipaserver/secrets/client.py +++ b/ipaserver/secrets/client.py @@ -96,6 +96,7 @@ def fetch_key(self, keyname, store=True): # Perform request r = requests.get(url, headers=headers, + verify=paths.IPA_CA_CRT, params={'type': 'kem', 'value': request}) r.raise_for_status() reply = r.json() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tiran commented: """ Why do you propose to change the settings? By default python-requests enforces certificate validation. Without additional settings, it uses the system trust store. The IPA root CA is injected into the system trust store. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282253632 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification HonzaCholasta commented: """ We don't want to trust certificates issued by random internet CAs, this is how it should have been from the beginning. A commit message would be nice though. @tscherf, please add this ticket URL to the commit message: https://fedorahosted.org/freeipa/ticket/6686 """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282254224 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][synchronized] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 From 051af0fda6e38d6c80db6046fd2c1f686a7f44ca Mon Sep 17 00:00:00 2001 From: Thorsten Scherf Date: Fri, 24 Feb 2017 11:16:40 +0100 Subject: [PATCH] added ssl verification https://fedorahosted.org/freeipa/ticket/6686 --- ipaserver/secrets/client.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py index a945e01..3c7a055 100644 --- a/ipaserver/secrets/client.py +++ b/ipaserver/secrets/client.py @@ -96,6 +96,7 @@ def fetch_key(self, keyname, store=True): # Perform request r = requests.get(url, headers=headers, + verify=paths.IPA_CA_CRT, params={'type': 'kem', 'value': request}) r.raise_for_status() reply = r.json() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tiran commented: """ Please change the title of the commit, too. It's implies that we did not verify certs in the past. In the future please don't call the system trust store a random collection of CAs. It's diminishing and vilifying the hard work of the security team to provide a secure selection of CA certs. This change is purely an attempt to harden IPA and use the same selection of CAs everywhere. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282259839 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tscherf commented: """ When the system wide trust store is supposed to be used here, then something else must be broken somewhere in the verification code. Without explicitly using the IPA trust anchor stored in IPA_CA_CRT, the installer failed with an "[SSL: CERTIFICATE_VERIFY_FAILED]" error. We have seen this in CA-less and chained CA setups. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282262743 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][closed] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][synchronized] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][reopened] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tscherf commented: """ Sorry, closed this by mistake. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282263664 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][synchronized] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 From ad8017a44cc9775f8e5550b3b1e3de6acbdb5815 Mon Sep 17 00:00:00 2001 From: Thorsten Scherf Date: Fri, 24 Feb 2017 11:53:46 +0100 Subject: [PATCH] added ssl verification using IPA trust anchor https://fedorahosted.org/freeipa/ticket/6686 --- ipaserver/secrets/client.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py index a945e01..3c7a055 100644 --- a/ipaserver/secrets/client.py +++ b/ipaserver/secrets/client.py @@ -96,6 +96,7 @@ def fetch_key(self, keyname, store=True): # Perform request r = requests.get(url, headers=headers, + verify=paths.IPA_CA_CRT, params={'type': 'kem', 'value': request}) r.raise_for_status() reply = r.json() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#504][synchronized] Add SHA256 fingerprints
URL: https://github.com/freeipa/freeipa/pull/504 Author: tomaskrizek Title: #504: Add SHA256 fingerprints Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/504/head:pr504 git checkout pr504 From 6664a947ad9203c9c6d671c4a55d535e8c8d6c2e Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Thu, 23 Feb 2017 17:03:01 +0100 Subject: [PATCH] Add SHA256 fingerprints for certs https://fedorahosted.org/freeipa/ticket/6701 --- install/ui/src/freeipa/certificate.js | 5 + install/ui/test/data/cert_request.json | 1 + install/ui/test/data/cert_show.json| 1 + install/ui/test/data/service_show.json | 1 + ipaserver/plugins/cert.py | 7 +++ ipaserver/plugins/host.py | 4 ipaserver/plugins/service.py | 6 ++ ipatests/test_xmlrpc/test_host_plugin.py | 1 + ipatests/test_xmlrpc/test_service_plugin.py| 7 +++ ipatests/test_xmlrpc/tracker/host_plugin.py| 1 + ipatests/test_xmlrpc/tracker/service_plugin.py | 4 ++-- 11 files changed, 36 insertions(+), 2 deletions(-) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index b86c6cf..d7a50d7 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -571,6 +571,7 @@ IPA.cert.loader = function(spec) { serial_number: result.serial_number, serial_number_hex: result.serial_number_hex, sha1_fingerprint: result.sha1_fingerprint, +sha256_fingerprint: result.sha256_fingerprint, subject: result.subject, valid_not_after: result.valid_not_after, valid_not_before: result.valid_not_before @@ -1578,6 +1579,9 @@ exp.create_cert_metadata = function() { add_param('sha1_fingerprint', text.get('@i18n:objects.cert.sha1_fingerprint'), text.get('@i18n:objects.cert.sha1_fingerprint')); +add_param('sha256_fingerprint', +text.get('@i18n:objects.cert.sha256_fingerprint'), +text.get('@i18n:objects.cert.sha256_fingerprint')); add_param('certificate', text.get('@i18n:objects.cert.certificate'), text.get('@i18n:objects.cert.certificate')); @@ -1755,6 +1759,7 @@ return { 'valid_not_before', 'valid_not_after', 'sha1_fingerprint', +'sha256_fingerprint', { $type: 'revocation_reason', name: 'revocation_reason' diff --git a/install/ui/test/data/cert_request.json b/install/ui/test/data/cert_request.json index f8d8544..c610830 100644 --- a/install/ui/test/data/cert_request.json +++ b/install/ui/test/data/cert_request.json @@ -8,6 +8,7 @@ "request_id": "1", "serial_number": "1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", +"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC", "valid_not_before": "Wed Oct 13 01:59:32 2010 UTC" diff --git a/install/ui/test/data/cert_show.json b/install/ui/test/data/cert_show.json index 4942e63..6f1e9d3 100644 --- a/install/ui/test/data/cert_show.json +++ b/install/ui/test/data/cert_show.json @@ -7,6 +7,7 @@ "issuer": "CN=Certificate Authority,O=EXAMPLE.COM", "serial_number": "1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", +"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC", "valid_not_before": "Wed Oct 13 01:59:32 2010 UTC" diff --git a/install/ui/test/data/service_show.json b/install/ui/test/data/service_show.json index 213dfff..597f3ad 100644 --- a/install/ui/test/data/service_show.json +++ b/install/ui/test/data/service_show.json @@ -50,6 +50,7 @@ "serial_number": "1", "serial_number_hex": "0x1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", +"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "usercertificate": [ { diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 585a70e..a60dc41 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -350,6 +
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tiran commented: """ LGTM, but I want @simo5 to give the final ACK. Since Custodia is only used during replica installation on an enrolled system, ipa-client-install has already provided the certificate. I don't see any issue in the proposed fix. ```ipaserver.secrets.client``` does not yet use Custodia's own client library. I'll keep the problem in mind once we have updated to recent Custodia version. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282272478 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#507][opened] Use https to get security domain from Dogtag
URL: https://github.com/freeipa/freeipa/pull/507 Author: tiran Title: #507: Use https to get security domain from Dogtag Action: opened PR body: """ Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/507/head:pr507 git checkout pr507 From 50b52ca415e448f45f7a90e4516e67d96f5cdc0e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 24 Feb 2017 13:00:25 +0100 Subject: [PATCH] Use https to get security domain from Dogtag Signed-off-by: Christian Heimes --- ipaserver/install/dogtaginstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index cbaaa25..da82345 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -51,7 +51,7 @@ def get_security_domain(): Get the security domain from the REST interface on the local Dogtag CA This function will succeed if the local dogtag CA is up. """ -connection = PKIConnection() +connection = PKIConnection(protocol='https', port='8443') domain_client = pki.system.SecurityDomainClient(connection) info = domain_client.get_security_domain_info() return info -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][edited] Use IPA CA cert in Custodia secrets client
URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: Use IPA CA cert in Custodia secrets client Action: edited Changed field: title Original value: """ added ssl verification """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ The issues from the previous build should be resolved now, can be reviewed, hopefully the build passes. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282277991 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#507][comment] Use https to get security domain from Dogtag
URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag pvoborni commented: """ What is a context of this patch? Is something broken only in master. Or also 4.4, Fedora, RHEL,...? """ See the full comment at https://github.com/freeipa/freeipa/pull/507#issuecomment-282280330 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#507][comment] Use https to get security domain from Dogtag
URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag pvoborni commented: """ I.e. I want to know if something needs to be or should be backported. """ See the full comment at https://github.com/freeipa/freeipa/pull/507#issuecomment-282281077 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#507][comment] Use https to get security domain from Dogtag
URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag tiran commented: """ The patch hardens the installer a bit. It would be a good idea to backport the patch to 4.4. It's not critical since it's a read operation on localhost. """ See the full comment at https://github.com/freeipa/freeipa/pull/507#issuecomment-282281583 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] Use IPA CA cert in Custodia secrets client
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client simo5 commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282282986 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones
URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones MartinBasti commented: """ Works for me, except, ipa-server-install --setup-adtrust works even without freeipa-server-trust-ad package. Please fix this in a new PR in way how DNS is done. """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-282312799 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#479][+ack] Merge AD trust installer into composite ones
URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Adding a User-Managed YubiKey Hardware Token valueerror: no backend available
while I'm trying to add an ipa token to freeipa server: ipa otptoken-add-yubikey --slot=2 I got the following error: ipa: ERROR: non-public: ValueError: No backend available Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 137, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipaclient/plugins/otptoken_yubikey.py", line 120, in forward yk = yubico.find_yubikey() File "/usr/lib/python2.7/site-packages/yubico/yubikey.py", line 229, in find_key YK = YubiKeyUSBHID(debug=debug, skip=skip) File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 165, in __init__ if not self._open(skip): File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 447, in _open usb_device = self._get_usb_device(skip) File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 497, in _get_usb_device find_all=True, idVendor=_YUBICO_VID)] File "/usr/lib/python2.7/site-packages/usb/core.py", line 864, in find raise ValueError('No backend available') ValueError: No backend available ipa: ERROR: an internal error has occurred how can I fix this? Thanks, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Adding a User-Managed YubiKey Hardware Token valueerror: no backend available
On pe, 24 helmi 2017, Oucema Bellagha wrote: while I'm trying to add an ipa token to freeipa server: ipa otptoken-add-yubikey --slot=2 I got the following error: ipa: ERROR: non-public: ValueError: No backend available Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 137, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipaclient/plugins/otptoken_yubikey.py", line 120, in forward yk = yubico.find_yubikey() File "/usr/lib/python2.7/site-packages/yubico/yubikey.py", line 229, in find_key YK = YubiKeyUSBHID(debug=debug, skip=skip) File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 165, in __init__ if not self._open(skip): File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 447, in _open usb_device = self._get_usb_device(skip) File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 497, in _get_usb_device find_all=True, idVendor=_YUBICO_VID)] File "/usr/lib/python2.7/site-packages/usb/core.py", line 864, in find raise ValueError('No backend available') ValueError: No backend available ipa: ERROR: an internal error has occurred how can I fix this? Install actual libusb package? pyusb is designed to work against various usb library implementations. In Fedora there are at least two: libusbx and libusb. Install one of them. What the following small python script does return on your system? -- from usb.libloader import locate_library print locate_library(('usb-1.0', 'libusb-1.0', 'usb')) print locate_library(('usb-0.1', 'libusb-0.1', 'usb')) --- -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#508][opened] Fix ipa.service unit re. gssproxy
URL: https://github.com/freeipa/freeipa/pull/508 Author: flo-renaud Title: #508: Fix ipa.service unit re. gssproxy Action: opened PR body: """ ipa.service unit defines Requires=gssproxy. Because of this, during ipa-server-upgrade, the restart of gssproxy triggers a restart of ipa unit (hence stopping LDAP server and breaking the connection api.Backend.ldap2). Calls using this connection after gssproxy restart fail and ipa-server-upgrade exits on failure. The fix defines Wants=gssproxy to avoid the restart of ipa.service https://fedorahosted.org/freeipa/ticket/6705 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/508/head:pr508 git checkout pr508 From 44748f2fea7a602c3d047a593738274c285e2847 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 24 Feb 2017 22:04:42 +0100 Subject: [PATCH] Fix ipa.service unit re. gssproxy ipa.service unit defines Requires=gssproxy. Because of this, during ipa-server-upgrade, the restart of gssproxy triggers a restart of ipa unit (hence stopping LDAP server and breaking the connection api.Backend.ldap2). Calls using this connection after gssproxy restart fail and ipa-server-upgrade exits on failure. The fix defines Wants=gssproxy to avoid the restart of ipa.service https://fedorahosted.org/freeipa/ticket/6705 --- init/systemd/ipa.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init/systemd/ipa.service.in b/init/systemd/ipa.service.in index 4c924d5..ceb360c 100644 --- a/init/systemd/ipa.service.in +++ b/init/systemd/ipa.service.in @@ -1,7 +1,7 @@ [Unit] Description=Identity, Policy, Audit Requires=network.target -Requires=gssproxy.service +Wants=gssproxy.service After=network.target [Service] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy
URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy abbra commented: """ LGTM. Thank you finding and fixing this issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-282467859 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#508][+ack] Fix ipa.service unit re. gssproxy
URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code