Bug#927306: stretch-pu: package gosa/2.7.4+reloaded3-7~deb9u2

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#927306: stretch-pu: package gosa/2.7.4+reloaded3-7~deb9u2

Mike Gabriel-4
Package: release.debian.org
Severity: normal
Tags: stretch
User: [hidden email]
Usertags: pu

Dear stable release team,

This version of GOsa² drops obsoleted dependency on php-mcrypt (removed
from PHP 7.2).

The php-mcrypt functionality has been replaced by code that utilizes
the openssl support in PHP.

For new installations of GOsa², there is nothing to do.

People upgrading from a previous GOsa² version, please follow these
steps:

    * check if /etc/gosa/gosa.conf contains hashed values for passwords
    * if so, run the script (exactly once!):gosa-mcrypt-to-openssl-passwords

People using GOsa² on Debian stretch who plan to upgrade to GOsa² from
Debian buster, must make sure that they do the above explained
crypto-transition while still on Debian stretch (which ships php7.0 that
still has php-mcrypt). (See #925138).

The crypto-transition won't be technically possible on Debian buster
due to missing php-mcrypt.

Other than the crypto-transition, this version of GOsa drops support
for gosa-plugin-fai, gosa-plugin-opsi and gosa-plugin-heimdal (not maintained
upstream anymore, not functional anymore).

Instead of extracting the crypto-transition changes from buster's GOsa²
version, the preferred approach of handling this is getting all benefits
of buster's GOsa into Debian stretch (which basically matches GOsa² in
stretch-backports). Note, that the GOsa² from stretch-backports has been
well tested over months on production servers running Debian Edu at
schools in Schleswig-Holstein, Germany.

light+love
Mike

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply | Threaded
Open this post in threaded view
|

Bug#927306: Alternative apporach for password re-setup

Mike Gabriel-4
Holger and I discussed an alternative approach for the crypto  
transition in Debian buster, if gosa in stretch does not get updated  
to this s-pu's version:

```
14:42 < h01ger> sunweaver: i fear your approach wont work / be enough.  
upgrades from stretch should^wmust work, even if not the latest point  
release was installed
14:51 < h01ger> and that debdiff mail didnt make it to the list  
because 1.5mb is above the filesizelimit for the list

18:59 < sunweaver> h01ger: unfortunately, I don't have an OTOH  
solution for crypto-transition directly in buster.
18:59 < sunweaver> It is not a packaging issue really, but a  
configuration adaptation issue.
18:59 < sunweaver> normally, the user has to interact with $editor and  
/etc/ for other packages, too.
19:00 < sunweaver> so, the crypto-transition is a courtesy provided by  
the package maintainer.

19:00 < h01ger> ic

19:01 < sunweaver> the other option is: reset passwords for gosa-admin  
DN and re-setup GOsa² starting with plaintext passwords in  
/etc/gosa/gosa.conf and then rehashing the plain text password with  
the gosa-encrypt-passwords script.
19:01 < sunweaver> maybe that should have been added to the NEWS file  
and the bug report.

19:02 < h01ger> resetting the passwd for gosa-admin seems not too bad indeed

19:02 < sunweaver> h01ger: is it supposed to be that way, that after a  
dist-upgrade to buster the TJENER is still stuck with the stretch  
debian-edu artwork theme?
19:03 < sunweaver> h01ger: it is possible, but much more difficult for  
the untrained LDAP non-adept.
19:03 < sunweaver> I will send this extra info to the s-pu bug...
```

Greets,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: [hidden email], http://das-netzwerkteam.de


attachment0 (868 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#927306: Alternative apporach for password re-setup

Dominik George-7
Hi,

with the attached patch, the conversion works on buster.

The script uses php-mcrypt for no reason - the first use always returns
an constant 16, the second returns random bytes.

With the applied patch, the script works without php-mcrypt.

-nik

gosa-mcrypt-to-openssl-passwords-without-mcrypt.patch (543 bytes) Download Attachment
signature.asc (919 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#927306: Alternative apporach for password re-setup

Wolfgang Schweer-3
In reply to this post by Mike Gabriel-4
On Thu, Apr 18, 2019 at 05:06:15PM +0000, Mike Gabriel wrote:
> 18:59 < sunweaver> h01ger: unfortunately, I don't have an OTOH solution for
> crypto-transition directly in buster.
> 18:59 < sunweaver> It is not a packaging issue really, but a configuration
> adaptation issue.
> 18:59 < sunweaver> normally, the user has to interact with $editor and /etc/
> for other packages, too.

Please note: everything needed if upgrading gosa from Stretch to Buster
at any time is described in the Debian Edu Buster manual:
https://wiki.debian.org/DebianEdu/Documentation/Buster/Upgrades#Upgrading_the_main_server

At lest in the Debian Edu case, the (random) cleartext password is
contained in /etc/gosa/gosa.conf.orig

Please don't overwrite this file!
The gosa-mcrypt-to-openssl-passwords seems to do exacty this.

Use /etc/gosa/gosa.conf.mcrypt or some such.
 
Wolfgang

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#927306: Alternative apporach for password re-setup

Dominik George-7
In reply to this post by Dominik George-7
> with the attached patch, the conversion works on buster.
>
> The script uses php-mcrypt for no reason - the first use always returns
> an constant 16, the second returns random bytes.
>
> With the applied patch, the script works without php-mcrypt.

While focusing on what the two mcrypt library calls did, something felt
weird, but I didn't know what. I somehow did not trust that what I did
was right, because how this decryption should work was not entirely
clear to me, despite having basic understanding of how it works.

Now I know why: A random IV does not make any sense at all in
decryption, and in ECB mode, there is no such thing as an IV at all.

Thus, I updated the patch to remove that useless code all together.

-nik

gosa-mcrypt-to-openssl-passwords-remove-mcrypt.patch (662 bytes) Download Attachment
signature.asc (919 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#927306: Alternative apporach for password re-setup

Mike Gabriel-4
Hi Nik,

On  Do 18 Apr 2019 21:49:58 CEST, Dominik George wrote:

>> with the attached patch, the conversion works on buster.
>>
>> The script uses php-mcrypt for no reason - the first use always returns
>> an constant 16, the second returns random bytes.
>>
>> With the applied patch, the script works without php-mcrypt.
>
> While focusing on what the two mcrypt library calls did, something felt
> weird, but I didn't know what. I somehow did not trust that what I did
> was right, because how this decryption should work was not entirely
> clear to me, despite having basic understanding of how it works.
>
> Now I know why: A random IV does not make any sense at all in
> decryption, and in ECB mode, there is no such thing as an IV at all.
>
> Thus, I updated the patch to remove that useless code all together.
>
> -nik
This is a well tested patch that I can upload tonight (to unstable)?  
Or is more testing time needed? If the patch really fixes the  
transition, then we don't need the gosa s-pu. Do all agree?

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: [hidden email], http://das-netzwerkteam.de


attachment0 (868 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#927306: Alternative apporach for password re-setup

Dominik George-7
Hi,

> This is a well tested patch that I can upload tonight (to unstable)? Or is
> more testing time needed? If the patch really fixes the transition, then we
> don't need the gosa s-pu. Do all agree?

I tested:

 a) on stretch, that the script works, and produces expected results with a known password
 b) on buster, that the script works without mcrypt

a) was mcrypt-based and upgraded from jessie some time ago, b) was installed as buster.

I did not test the full upgrade path form stretch to buster, but I
consider the changed part, namely the cred_decrypt function,
well-tested.

-nik

signature.asc (919 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#927306: Alternative apporach for password re-setup

Mike Gabriel-4
Control: close -1

Dear release team,

On  Fr 19 Apr 2019 00:10:01 CEST, Dominik George wrote:

> Hi,
>
>> This is a well tested patch that I can upload tonight (to unstable)? Or is
>> more testing time needed? If the patch really fixes the transition, then we
>> don't need the gosa s-pu. Do all agree?
>
> I tested:
>
>  a) on stretch, that the script works, and produces expected results  
> with a known password
>  b) on buster, that the script works without mcrypt
>
> a) was mcrypt-based and upgraded from jessie some time ago, b) was  
> installed as buster.
>
> I did not test the full upgrade path form stretch to buster, but I
> consider the changed part, namely the cred_decrypt function,
> well-tested.
>
> -nik
I tested the crypto transition with Dominik's patch on a buster  
system. It works there, so no s-pu is required for gosa at the time  
being.

So closing this s-pu bug report.

Greets,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: [hidden email], http://das-netzwerkteam.de


attachment0 (868 bytes) Download Attachment