Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Double escape @ in realm to avoid shell interpretation #211

Merged
merged 1 commit into from
May 1, 2023

Conversation

jrafanie
Copy link
Member

@jrafanie jrafanie commented May 1, 2023

From:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-kerberos-aliases

"When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error:
ipa: ERROR: The realm for the principal does not match the realm for this IPA server"

Also mentioned in:
https://www.freeipa.org/page/V4/Kerberos_principal_aliases

"Be careful to escape '@' in the enterprise principal name, otherwise the framework will complain about bad realm"

How to recreate and test this:

  1. Deploy a recent new appliance
  2. Configure ipa client using the demo environment: https://www.freeipa.org/page/Demo
  3. kinit helpdesk # or any other user configured on the demo env webpage
  4. Run appliance_console_cli --http-cert

This recreates realm does not match error above.

Apply this code change allows us to get further but fails because we're not configured to make changes such as adding aliases on the ipa server.

@jrafanie jrafanie added the bug label May 1, 2023
From:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-kerberos-aliases

"When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\\).
Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the
following error:
ipa: ERROR: The realm for the principal does not match the realm for this IPA server"

Also mentioned in:
https://www.freeipa.org/page/V4/Kerberos_principal_aliases

"Be careful to escape '@' in the enterprise principal name, otherwise the
framework will complain about bad realm"

How to recreate and test this:
1) Deploy a recent new appliance
2) Configure ipa client using the demo environment: https://www.freeipa.org/page/Demo
3) kinit helpdesk # or any other user configured on the demo env webpage
4) Run appliance_console_cli --http-cert

This recreates realm does not match error above.

Apply this code change allows us to get further but fails because we're not
configured to make changes such as adding aliases on the ipa server.
@miq-bot
Copy link
Member

miq-bot commented May 1, 2023

Checked commit jrafanie@286eefb with ruby 2.6.10, rubocop 1.28.2, haml-lint 0.35.0, and yamllint
3 files checked, 0 offenses detected
Everything looks fine. ⭐

@@ -15,7 +15,7 @@ def initialize(options = {})
options.each { |n, v| public_send("#{n}=", v) }
@ca_name ||= "ipa"
@realm = @realm.upcase if @realm
@name ||= "#{service}/#{hostname}@#{realm}"
@name ||= "#{service}/#{hostname}\\@#{realm}"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If @name is presented to the user, we might want to escape these @ later, before we run the two AwesomeSpawn.run commands below. But for now, I think this is the surgical way to fix this.

@Fryguy Fryguy merged commit c37f7bb into ManageIQ:master May 1, 2023
@Fryguy
Copy link
Member

Fryguy commented May 1, 2023

Does this need to go back to Petrosian?

@jrafanie jrafanie deleted the double_escape_realm branch May 1, 2023 16:45
@jrafanie
Copy link
Member Author

jrafanie commented May 1, 2023

Does this need to go back to Petrosian?

Yes, I think so. I guess we need a new release so we can require it in petrosian.

@Fryguy Fryguy self-assigned this May 2, 2023
@Fryguy
Copy link
Member

Fryguy commented May 2, 2023

How to recreate and test this:

1. Deploy a recent new appliance

2. Configure ipa client using the demo environment: https://www.freeipa.org/page/Demo

3. kinit helpdesk # or any other user configured on the demo env webpage

4. Run appliance_console_cli --http-cert

This recreates realm does not match error above.

Can you possibly add this to the guides/external_auth documentation? It's very useful.

jrafanie added a commit to jrafanie/guides that referenced this pull request May 2, 2023
Fryguy added a commit that referenced this pull request May 3, 2023
Double escape @ in realm to avoid shell interpretation

(cherry picked from commit c37f7bb)
Fryguy added a commit that referenced this pull request May 3, 2023
Fixes:
- Remove MIQ specific gem source [#209]
- Double escape @ in realm to avoid shell interpretation [#211]
jrafanie added a commit to jrafanie/manageiq-appliance_console that referenced this pull request Jun 22, 2023
Fix incomplete fix in ManageIQ#211.

We have two concepts that were being shared.
* kerberos principal name
* service principal name

getcert requires the kerberos principal name with the kerberos realm included:
getcert request -K SERVICE/host@REALM

ipa service-find and service-add use the service principal name, which doesn't include
the kerberos realm as that's assumed based on configuration and cannot be changed without
changing the configuration:

ipa service-find  --principal SERVICE/host

This commit clarifies these differences and uses the correct mechanism for service-add, service-find, and getcert.
jrafanie added a commit to jrafanie/manageiq-appliance_console that referenced this pull request Jun 22, 2023
Fix incomplete fix in ManageIQ#211.

We have two concepts that were being shared.
* kerberos principal name
* service principal name

getcert requires the kerberos principal name with the kerberos realm included:
getcert request -K SERVICE/host@REALM

See https://github.com/ManageIQ/manageiq-appliance_console/blob/9ce14c3087930322bbeac0e2f5a9723d92eea71a/lib/manageiq/appliance_console/certificate.rb#L143-L149 for usage.

ipa service-find and service-add use the service principal name, which doesn't include
the kerberos realm as that's assumed based on configuration and cannot be changed without
changing the configuration:

ipa service-find  --principal SERVICE/host

This commit clarifies these differences and uses the correct mechanism for service-add, service-find, and getcert.
Fryguy added a commit that referenced this pull request Feb 7, 2024
Fixed
- Fix sporadic test failure [#204]
- Remove MIQ specific gem source [#209]
- Double escape @ in realm to avoid shell interpretation [#211]
- Move gem name loader to proper namespaced location [#208]
- Separate kerberos from service principal name and use correctly [#215]
- Add manageiq user to allowed_uids for sssd [#220]
- Remove warning about using pg_dump [#221]
- Fix specs where AwesomeSpawn private interface changed [#224]
- Change the Name of the CA from something to ApplianceCA [#228]
- Fix YAML.load_file failing on aliases [#234]

Added
- Make backward compatible changes to work with repmgr13 - version 5.2.1 [#192]
- Support Ruby 3.0 [#206]
- Support Ruby 3.1 [#227]
- Allow rails 7 gems in gemspec [#226]

Changed
- Update to Highline 2.1.0 [#201]
- Clean up test output (highline and stdout messages) [#210]

Removed
- Drop Ruby 2.7 [#223]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants