StarlingX

update-iso.sh is OpenSSL version dependent

Bug #2043608 reported by Kyle MacLeod
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Kyle MacLeod

Bug Description

Brief Description

update-iso.sh uses OpenSSL to encrypt user's password when --initial-password is used as input parameter. OpenSSL failed to encrypt password in Ubuntu 22.04 which has OpenSSL version at 'OpenSSL 3.0.2' with the following error:

$openssl passwd -quiet -crypt abc
passwd: Unknown option: -crypt

Severity
Minor

Impact on Customer
This issue can impact central controller deployment automation process if the update-iso.sh script is run off-node.

Steps to Reproduce:
Run the update-iso.sh script on a system with openssl version 3+ installated.

Actual Behavior:
The script fails due to openssl passwd -crypt option not present

Workaround:
Run the update-iso.sh script from system controller (/usr/local/bin/update-iso.sh).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to utilities (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/utilities/+/901088

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to utilities (master)

Reviewed: https://review.opendev.org/c/starlingx/utilities/+/901088
Committed: https://opendev.org/starlingx/utilities/commit/5e7fd494a002cfd099c9d12f1f25eb8f5cea7293
Submitter: "Zuul (22348)"
Branch: master

commit 5e7fd494a002cfd099c9d12f1f25eb8f5cea7293
Author: Kyle MacLeod <email address hidden>
Date: Wed Nov 15 13:19:05 2023 -0500

    Update openssl passwd compatibility version 1/3

    This update fixes incompatibilities between openssl versions 1.x (in
    current system controller load) and 3.x (on more recent distributions
    including Ubuntu 22.x). The ancient '-crypt' switch is replaced with the
    '-6' encryption format, which is a secure SHA512-based algorithm.

    Both openssl 1 and 3 versions support the '-6' option.
    Since the --initial-password can also be used with --no-force-password,
    the encrypted password hashing is now hardened to modern levels.

    Test Plan

    Perform the following two tests using two systems; one running openssl
    version 1.1 and the other 3.0:
    - OpenSSL 1.1.1n 15 Mar 2022
    - OpenSSL 3.0.11 19 Sep 2023

    PASS: Update installation ISO specifying a new initial password:
    sudo ./update-iso.sh -i
    /opt/dc-vault/loads/23.09/starlingx-intel-x86-64-cd.iso -o ./updated.iso
    --initial-password 'MyPassword!23*'
    Verify that the node boots and the new initial password is applied.
    Verify that the user is forced to change the password on first boot.

    PASS: Update installation ISO specifying a new initial password:
    sudo ./update-iso.sh -i
    /opt/dc-vault/loads/23.09/starlingx-intel-x86-64-cd.iso -o ./updated.iso
    --initial-password 'MyPassword!23*' --no-force-password
    Verify that the node boots and the new initial password is applied.
    Verify that the user is not forced to change the password on first boot.

    PASS: verify that the password does not appear in plain text in logs

    Closes-Bug: 2043608

    Change-Id: Ib851d8db1a72ba4aa74573fb290d8417d016e370
    Signed-off-by: Kyle MacLeod <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
tags: added: stx.9.0 stx.tools
Changed in starlingx:
importance: Undecided → Low
assignee: nobody → Kyle MacLeod (kmacleod)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.