Double escape @ in realm to avoid shell interpretation #211
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-kerberos-aliases "When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error: ipa: ERROR: The realm for the principal does not match the realm for this IPA server" Also mentioned in: https://www.freeipa.org/page/V4/Kerberos_principal_aliases "Be careful to escape '@' in the enterprise principal name, otherwise the framework will complain about bad realm" How to recreate and test this: 1) Deploy a recent new appliance 2) Configure ipa client using the demo environment: https://www.freeipa.org/page/Demo 3) kinit helpdesk # or any other user configured on the demo env webpage 4) Run appliance_console_cli --http-cert This recreates realm does not match error above. Apply this code change allows us to get further but fails because we're not configured to make changes such as adding aliases on the ipa server.
jrafanie
force-pushed
the
double_escape_realm
branch
from
1371965
to
286eefb
Compare
|
Checked commit jrafanie@286eefb with ruby 2.6.10, rubocop 1.28.2, haml-lint 0.35.0, and yamllint |
jrafanie
commented
May 1, 2023
| @@ -15,7 +15,7 @@ def initialize(options = {}) | |||
| options.each { |n, v| public_send("#{n}=", v) } | |||
| @ca_name ||= "ipa" | |||
| @realm = @realm.upcase if @realm | |||
| @name ||= "#{service}/#{hostname}@#{realm}" | |||
| @name ||= "#{service}/#{hostname}\\@#{realm}" | |||
There was a problem hiding this comment.
If @name is presented to the user, we might want to escape these @ later, before we run the two AwesomeSpawn.run commands below. But for now, I think this is the surgical way to fix this.
|
Does this need to go back to Petrosian? |
Yes, I think so. I guess we need a new release so we can require it in petrosian. |
Can you possibly add this to the guides/external_auth documentation? It's very useful. |
jrafanie
added a commit
to jrafanie/guides
that referenced
this pull request
May 2, 2023
Fryguy
added a commit
that referenced
this pull request
May 3, 2023
Double escape @ in realm to avoid shell interpretation (cherry picked from commit c37f7bb)
jrafanie
added a commit
to jrafanie/manageiq
that referenced
this pull request
May 4, 2023
jrafanie
added a commit
to jrafanie/manageiq-appliance_console
that referenced
this pull request
Jun 22, 2023
Fix incomplete fix in ManageIQ#211. We have two concepts that were being shared. * kerberos principal name * service principal name getcert requires the kerberos principal name with the kerberos realm included: getcert request -K SERVICE/host@REALM ipa service-find and service-add use the service principal name, which doesn't include the kerberos realm as that's assumed based on configuration and cannot be changed without changing the configuration: ipa service-find --principal SERVICE/host This commit clarifies these differences and uses the correct mechanism for service-add, service-find, and getcert.
jrafanie
added a commit
to jrafanie/manageiq-appliance_console
that referenced
this pull request
Jun 22, 2023
Fix incomplete fix in ManageIQ#211. We have two concepts that were being shared. * kerberos principal name * service principal name getcert requires the kerberos principal name with the kerberos realm included: getcert request -K SERVICE/host@REALM See https://github.com/ManageIQ/manageiq-appliance_console/blob/9ce14c3087930322bbeac0e2f5a9723d92eea71a/lib/manageiq/appliance_console/certificate.rb#L143-L149 for usage. ipa service-find and service-add use the service principal name, which doesn't include the kerberos realm as that's assumed based on configuration and cannot be changed without changing the configuration: ipa service-find --principal SERVICE/host This commit clarifies these differences and uses the correct mechanism for service-add, service-find, and getcert.
GilbertCherrie
pushed a commit
to GilbertCherrie/manageiq
that referenced
this pull request
Jul 7, 2023
Fryguy
added a commit
that referenced
this pull request
Feb 7, 2024
Fixed - Fix sporadic test failure [#204] - Remove MIQ specific gem source [#209] - Double escape @ in realm to avoid shell interpretation [#211] - Move gem name loader to proper namespaced location [#208] - Separate kerberos from service principal name and use correctly [#215] - Add manageiq user to allowed_uids for sssd [#220] - Remove warning about using pg_dump [#221] - Fix specs where AwesomeSpawn private interface changed [#224] - Change the Name of the CA from something to ApplianceCA [#228] - Fix YAML.load_file failing on aliases [#234] Added - Make backward compatible changes to work with repmgr13 - version 5.2.1 [#192] - Support Ruby 3.0 [#206] - Support Ruby 3.1 [#227] - Allow rails 7 gems in gemspec [#226] Changed - Update to Highline 2.1.0 [#201] - Clean up test output (highline and stdout messages) [#210] Removed - Drop Ruby 2.7 [#223]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
From:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-kerberos-aliases
"When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error:
ipa: ERROR: The realm for the principal does not match the realm for this IPA server"
Also mentioned in:
https://www.freeipa.org/page/V4/Kerberos_principal_aliases
"Be careful to escape '@' in the enterprise principal name, otherwise the framework will complain about bad realm"
How to recreate and test this:
This recreates realm does not match error above.
Apply this code change allows us to get further but fails because we're not configured to make changes such as adding aliases on the ipa server.