[Bug 1754365] [NEW] [FFe]: Enable sssd-secrets service

Andreas Hasenack andreas at canonical.com
Thu Mar 8 15:22:11 UTC 2018 

Public bug reported:

Please enable the sssd-secrets service. This needs the MIR for http-
parser (#1638957) to pass.

[Rationale]
>From the MIR bug (#1638957):
The Debian sssd package has the secrets service enabled, and disabling it in the Ubuntu package is part of the delta we carry.

The secrets service can be used as a generic key/value database for
secrets, and one of its consumers is a kerberos KDC via KCM (Kerberos
Cache Manager), implemented by sssd-kcm. sssd-kcm gives users an option
to store the credentials in a cache that persists reboots, as opposed to
when it's stored in the kernel keyring or in /tmp, when that is a tmpfs.

sssd-secrets can also use a remote Custodia
[https://github.com/simo5/custodia] (in Universe) server to store its
secrets there.

sssd-secrets is unix socket activated and won't be running until there
is a connection to that socket.


[Testing]
This is the testing that was done. Only the local store was tested, not the Custodia remote server case.

During testing, I found a related bug and filed a bug in debian about it
with a related MP in salsa (https://bugs.debian.org/892315).

Quick simple test
=================
sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957
sudo apt install sssd

# Store a secret
$ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XPUT http://localhost/secrets/foo -d'{"type":"simple","value":"foosecret"}';echo
<html>
<head>
<title>200 OK</title></head>
<body>
<h1>OK</h1>
<p>Success</p>
</body>

# retrieve the secret
$ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo
{
    "type": "simple",
    "value": "foosecret"
}

# try to retrieve the same secret but as a different user won't work because secrets are per user
$ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo
<html>
<head>
<title>404 Not Found</title></head>
<body>
<h1>Not Found</h1>
<p>The requested resource was not found.</p>
</body>

Extended test
=============
This is a more extended version of this verification and it tests the integration of the secrets service between three services: the secrets service itself, MIT kerberos client libraries, and the sssd-kcm service (kerberos cache manager).

sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957
sudo apt install sssd sssd-kcm

# use EXAMPLE.COM for the kerberos realm, and localhost for the admin and kdc servers, when prompted
sudo apt install krb5-user krb5-kdc krb5-admin-server

# the kdc will fail to start because there is no realm yet, that's ok. We will create it now. Use whatever password you want
sudo krb5_newrealm

# create a kerberos principal. This uses "secret" as a password
sudo kadmin.local -q "addprinc -pw secret ubuntu"

# edit /etc/krb5.conf and tell the library to use KCM by default
[libdefaults]
        default_ccache_name = KCM: # <-- add this line

# create /etc/sssd/sssd.conf with these contents:
[sssd]
config_file_version = 2
services = pam
domains = example.com

[pam]

[domain/example.com]
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
krb5_server = localhost
krb5_realm = EXAMPLE.COM

# adjust permissions
sudo chmod 0600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf

# (re)start sssd
sudo systemctl restart sssd

# test getting a ticket for "ubuntu". Notice how the cache is using "KCM":
ubuntu at bionic-sssd-http-parser:~$ kinit
Password for ubuntu at EXAMPLE.COM:

ubuntu at bionic-sssd-http-parser:~$ klist
Ticket cache: KCM:1000
Default principal: ubuntu at EXAMPLE.COM

Valid starting Expires Service principal
03/08/18 13:09:12 03/08/18 23:09:12 krbtgt/EXAMPLE.COM at EXAMPLE.COM
 renew until 03/09/18 13:09:10

# install ldb-tools
sudo apt install ldb-tools

# perform a search on the secrets database to see the entry created by kcm
$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn
# record 1
dn: cn=3615a3ca-b857-4ee6-ae70-3a82485276b3-1000,cn=ccache,cn=1000,cn=persistent,cn=kcm

# record 2
dn: cn=ccache,cn=1000,cn=persistent,cn=kcm

# returned 2 records
# 2 entries
# 0 referrals

# destroy the kerberos ticket and confirm it's gone from the secrets database
ubuntu at bionic-sssd-http-parser:~$ kdestroy
ubuntu at bionic-sssd-http-parser:~$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn
# returned 0 records
# 0 entries
# 0 referrals

** Affects: sssd (Ubuntu)
     Importance: Undecided
     Assignee: Andreas Hasenack (ahasenack)
         Status: In Progress

** Merge proposal linked:
   https://code.launchpad.net/~ahasenack/ubuntu/+source/sssd/+git/sssd/+merge/341122

** Description changed:

  Please enable the sssd-secrets service. This needs the MIR for http-
  parser (#1638957) to pass.
+ 
+ [Testing]
+ This is the testing that was done.
+ During testing, I found a related bug and filed a bug in debian about it with a related MP in salsa (https://bugs.debian.org/892315).
+ 
+ Quick simple test
+ =================
+ sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957
+ sudo apt install sssd
+ 
+ # Store a secret
+ $ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XPUT http://localhost/secrets/foo -d'{"type":"simple","value":"foosecret"}';echo
+ <html>
+ <head>
+ <title>200 OK</title></head>
+ <body>
+ <h1>OK</h1>
+ <p>Success</p>
+ </body>
+ 
+ # retrieve the secret
+ $ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo
+ {
+     "type": "simple",
+     "value": "foosecret"
+ }
+ 
+ # try to retrieve the same secret but as a different user won't work because secrets are per user
+ $ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo
+ <html>
+ <head>
+ <title>404 Not Found</title></head>
+ <body>
+ <h1>Not Found</h1>
+ <p>The requested resource was not found.</p>
+ </body>
+ 
+ Extended test
+ =============
+ This is a more extended version of this verification and it tests the integration of the secrets service between three services: the secrets service itself, MIT kerberos client libraries, and the sssd-kcm service (kerberos cache manager).
+ 
+ sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957
+ sudo apt install sssd sssd-kcm
+ 
+ # use EXAMPLE.COM for the kerberos realm, and localhost for the admin and kdc servers, when prompted
+ sudo apt install krb5-user krb5-kdc krb5-admin-server
+ 
+ # the kdc will fail to start because there is no realm yet, that's ok. We will create it now. Use whatever password you want
+ sudo krb5_newrealm
+ 
+ # create a kerberos principal. This uses "secret" as a password
+ sudo kadmin.local -q "addprinc -pw secret ubuntu"
+ 
+ # edit /etc/krb5.conf and tell the library to use KCM by default
+ [libdefaults]
+         default_ccache_name = KCM: # <-- add this line
+ 
+ # create /etc/sssd/sssd.conf with these contents:
+ [sssd]
+ config_file_version = 2
+ services = pam
+ domains = example.com
+ 
+ [pam]
+ 
+ [domain/example.com]
+ id_provider = proxy
+ proxy_lib_name = files
+ auth_provider = krb5
+ krb5_server = localhost
+ krb5_realm = EXAMPLE.COM
+ 
+ # adjust permissions
+ sudo chmod 0600 /etc/sssd/sssd.conf
+ sudo chown root:root /etc/sssd/sssd.conf
+ 
+ # (re)start sssd
+ sudo systemctl restart sssd
+ 
+ # test getting a ticket for "ubuntu". Notice how the cache is using "KCM":
+ ubuntu at bionic-sssd-http-parser:~$ kinit
+ Password for ubuntu at EXAMPLE.COM:
+ 
+ ubuntu at bionic-sssd-http-parser:~$ klist
+ Ticket cache: KCM:1000
+ Default principal: ubuntu at EXAMPLE.COM
+ 
+ Valid starting Expires Service principal
+ 03/08/18 13:09:12 03/08/18 23:09:12 krbtgt/EXAMPLE.COM at EXAMPLE.COM
+  renew until 03/09/18 13:09:10
+ 
+ # install ldb-tools
+ sudo apt install ldb-tools
+ 
+ # perform a search on the secrets database to see the entry created by kcm
+ $ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn
+ # record 1
+ dn: cn=3615a3ca-b857-4ee6-ae70-3a82485276b3-1000,cn=ccache,cn=1000,cn=persistent,cn=kcm
+ 
+ # record 2
+ dn: cn=ccache,cn=1000,cn=persistent,cn=kcm
+ 
+ # returned 2 records
+ # 2 entries
+ # 0 referrals
+ 
+ # destroy the kerberos ticket and confirm it's gone from the secrets database
+ ubuntu at bionic-sssd-http-parser:~$ kdestroy
+ ubuntu at bionic-sssd-http-parser:~$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn
+ # returned 0 records
+ # 0 entries
+ # 0 referrals

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to sssd in Ubuntu.
https://bugs.launchpad.net/bugs/1754365

Title:
  [FFe]: Enable sssd-secrets service

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1754365/+subscriptions

More information about the Ubuntu-server-bugs mailing list