[FFe]: Enable sssd-secrets service

Bug #1754365 reported by Andreas Hasenack
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Undecided
Andreas Hasenack

Bug Description

Please enable the sssd-secrets service. This needs the MIR for http-parser (#1638957) to pass.

[Rationale]
From the MIR bug (#1638957):
The Debian sssd package has the secrets service enabled, and disabling it in the Ubuntu package is part of the delta we carry.

The secrets service can be used as a generic key/value database for secrets, and one of its consumers is a kerberos KDC via KCM (Kerberos Cache Manager), implemented by sssd-kcm. sssd-kcm gives users an option to store the credentials in a cache that persists reboots, as opposed to when it's stored in the kernel keyring or in /tmp, when that is a tmpfs.

sssd-secrets can also use a remote Custodia [https://github.com/simo5/custodia] (in Universe) server to store its secrets there.

sssd-secrets is unix socket activated and won't be running until there is a connection to that socket.

[Testing]
This is the testing that was done. Only the local store was tested, not the Custodia remote server case.

During testing, I found a related bug and filed a bug in debian about it with a related MP in salsa (https://bugs.debian.org/892315).

Quick simple test
=================
sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957
sudo apt install sssd

# Store a secret
$ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XPUT http://localhost/secrets/foo -d'{"type":"simple","value":"foosecret"}';echo
<html>
<head>
<title>200 OK</title></head>
<body>
<h1>OK</h1>
<p>Success</p>
</body>

# retrieve the secret
$ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo
{
    "type": "simple",
    "value": "foosecret"
}

# try to retrieve the same secret but as a different user won't work because secrets are per user
$ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo
<html>
<head>
<title>404 Not Found</title></head>
<body>
<h1>Not Found</h1>
<p>The requested resource was not found.</p>
</body>

Extended test
=============
This is a more extended version of this verification and it tests the integration of the secrets service between three services: the secrets service itself, MIT kerberos client libraries, and the sssd-kcm service (kerberos cache manager).

sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957
sudo apt install sssd sssd-kcm

# use EXAMPLE.COM for the kerberos realm, and localhost for the admin and kdc servers, when prompted
sudo apt install krb5-user krb5-kdc krb5-admin-server

# the kdc will fail to start because there is no realm yet, that's ok. We will create it now. Use whatever password you want
sudo krb5_newrealm

# create a kerberos principal. This uses "secret" as a password
sudo kadmin.local -q "addprinc -pw secret ubuntu"

# edit /etc/krb5.conf and tell the library to use KCM by default
[libdefaults]
        default_ccache_name = KCM: # <-- add this line

# create /etc/sssd/sssd.conf with these contents:
[sssd]
config_file_version = 2
services = pam
domains = example.com

[pam]

[domain/example.com]
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
krb5_server = localhost
krb5_realm = EXAMPLE.COM

# adjust permissions
sudo chmod 0600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf

# (re)start sssd
sudo systemctl restart sssd

# test getting a ticket for "ubuntu". Notice how the cache is using "KCM":
ubuntu@bionic-sssd-http-parser:~$ kinit
Password for <email address hidden>:

ubuntu@bionic-sssd-http-parser:~$ klist
Ticket cache: KCM:1000
Default principal: <email address hidden>

Valid starting Expires Service principal
03/08/18 13:09:12 03/08/18 23:09:12 <email address hidden>
 renew until 03/09/18 13:09:10

# install ldb-tools
sudo apt install ldb-tools

# perform a search on the secrets database to see the entry created by kcm
$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn
# record 1
dn: cn=3615a3ca-b857-4ee6-ae70-3a82485276b3-1000,cn=ccache,cn=1000,cn=persistent,cn=kcm

# record 2
dn: cn=ccache,cn=1000,cn=persistent,cn=kcm

# returned 2 records
# 2 entries
# 0 referrals

# destroy the kerberos ticket and confirm it's gone from the secrets database
ubuntu@bionic-sssd-http-parser:~$ kdestroy
ubuntu@bionic-sssd-http-parser:~$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn
# returned 0 records
# 0 entries
# 0 referrals

Related branches

description: updated
description: updated
Changed in sssd (Ubuntu):
status: In Progress → New
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

I see the MIR for http-parser is still not approved. If it gets the MIR team approval I would be fine with accepting the FFe.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The MIR was approved. Uploading sssd.

Changed in sssd (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.16.0-5ubuntu2

---------------
sssd (1.16.0-5ubuntu2) bionic; urgency=medium

  * Enable the secrets service and build against http-parser (LP: #1754365).
    This drops the following Debian delta:
    - Build without the secrets service as libhttp-parser2.1 is in universe
  * d/{sssd-common.postinst,sssd-common.dirs}: create the secrets directory
    used by sssd-secrets and set its permissions in postinst.
    (Closes: #892315)

 -- Andreas Hasenack <email address hidden> Tue, 06 Mar 2018 16:23:11 +0100

Changed in sssd (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.