From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
by lore.proxmox.com (Postfix) with ESMTPS id 36F6F1FF29F
for <inbox@lore.proxmox.com>; Thu, 18 Jul 2024 08:31:17 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 61634587C;
Thu, 18 Jul 2024 08:31:45 +0200 (CEST)
Date: Tue, 16 Jul 2024 15:48:51 +0200
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Christoph Heiss <c.heiss@proxmox.com>
References: <20240715075700.283532-1-c.heiss@proxmox.com>
In-Reply-To: <20240715075700.283532-1-c.heiss@proxmox.com>
X-Mailman-Approved-At: Thu, 18 Jul 2024 08:31:43 +0200
MIME-Version: 1.0
Message-ID: <mailman.559.1721284303.331.pve-devel@lists.proxmox.com>
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
From: Theodor Fumics via pve-devel <pve-devel@lists.proxmox.com>
Precedence: list
Cc: Theodor Fumics <theodor.fumics@gmx.net>
X-Mailman-Version: 2.1.29
X-BeenThere: pve-devel@lists.proxmox.com
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
Subject: Re: [pve-devel] [PATCH installer v2 0/6] auto-installer: add option
for providing hashed root password
Content-Type: multipart/mixed; boundary="===============5125238795153882537=="
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>
--===============5125238795153882537==
Content-Type: message/rfc822
Content-Disposition: inline
Return-Path: <theodor.fumics@gmx.net>
X-Original-To: pve-devel@lists.proxmox.com
Delivered-To: pve-devel@lists.proxmox.com
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id A7CB4C0CE1
for <pve-devel@lists.proxmox.com>; Tue, 16 Jul 2024 15:54:52 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 7CB5D1CCAB
for <pve-devel@lists.proxmox.com>; Tue, 16 Jul 2024 15:54:22 +0200 (CEST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS
for <pve-devel@lists.proxmox.com>; Tue, 16 Jul 2024 15:54:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net;
s=s31663417; t=1721138054; x=1721742854; i=theodor.fumics@gmx.net;
bh=gwUx/7lVl6FEdoMBK3GI4owEy3JseqMFxggcGFYwsYs=;
h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:To:
References:From:In-Reply-To:Content-Type:
Content-Transfer-Encoding:cc:content-transfer-encoding:
content-type:date:from:message-id:mime-version:reply-to:subject:
to;
b=dYihEog1nsejI8EzTsS5etSlvhqntuLlnMas1uh1gIZYb5ayrGov6XMRWl71ja0J
oUjcWKdiFIEIPeeGvAFKotRy1DOP9YW/RqDw7MFjjXic1o6gU1GXzxweWCuTDkkxi
o2N+JwO86eOOCbzVo2crPp4GKTL1nPrE314AeYB2UJjRHHkLoq9xd9UsfjeOh4XKt
6eqOrkr0WQNH4uIUw+a/o0Km6JVWbfzD9u6b64xu/unrqQi6zR0X6pl5viIBRyvIs
ocSdrnUisp5UeNtjLQb5r67TKTBuGlTe9H8oQTND4gE4YIbD+kF3WPhmZybWZ/8Di
MNBWeCqt8RmjBI9ZaQ==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.16.89] ([94.136.29.99]) by mail.gmx.net (mrgmx005
[212.227.17.190]) with ESMTPSA (Nemesis) id 1Mr9Fs-1rxMHd23yo-00kj1V; Tue, 16
Jul 2024 15:48:51 +0200
Message-ID: <d34b72ff-9e55-4ca4-8a05-36aaaf07b692@gmx.net>
Date: Tue, 16 Jul 2024 15:48:51 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [pve-devel] [PATCH installer v2 0/6] auto-installer: add option
for providing hashed root password
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Christoph Heiss <c.heiss@proxmox.com>
References: <20240715075700.283532-1-c.heiss@proxmox.com>
Content-Language: en-US
From: Theodor Fumics <theodor.fumics@gmx.net>
In-Reply-To: <20240715075700.283532-1-c.heiss@proxmox.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:ands9uG5YJNdlEKEek790k7CQvd7w5YYwCAaHxzarOypvgUyXS5
BCrNT0NZkeCPSNEvzJKHDDnpsNNcXwutk++IsitdfEEr/siedbiajly9z5dqtfl7ONkQmtM
YbwTmDuek6K5753bhZe0pwMQqZCYz+Y3u2DMZtdUGY1+CI22KnXDVtMznc4LwvM8fyOxNE3
Wz8X0ekWf1lZk+e4/SRfA==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:JWoUk/nCN/A=;DV8OctOsZ39QzygHZLx4H9Vc3OT
W8LN1mCAncev2Re8vJmMK/MWpWNnY080eHu6b8/nHCe4/tkH9R4xvxu40DZO59o5A/e2EVk1R
wDsBSpgYReiFwjx3ctH2cuLycJ2dzw1kG1+JOjEHru0OnwXNW3bfjzf49pUYmsdR5bgko7WbP
VCx1WvscbrYjlSkNeMATDCsPD5Z2B8wnehUz6CvoG/8Vn62r0CMMLlweLZD//1FvaX3TSaaQe
mEwV/PVOH1Ls+x+TR9PGTKEuSL1aSXkndw+/ZGL+XooMM2QHFsESCKw96ORdSkV/SGHfBewqZ
iRqjMNNDyPLtFjYY9aMofX845lcG6LQqLFdcJY4DY4JqY5zbKR8sHLT4rTM4rTqE3HUZm3Tx3
CJnwnAe2q7wh/RAHp+1DOeq7J6Qrz3aA/iHzmhU9DDs6zeSXqGUe5q8+Ma90Xw6ToQbxb4sYI
kJqqjNfWCT6Q7TP2c3JQhUyfEyL8gJ7CGrweIL4wAKDQcpd5GtzBrG5BRuMUIK+OYrEfgQIpT
4LRn4dh9yqofOmRLjYtw1rwFDRuhBhgMqVOrkp5t1oG7+b/X4ayjfb8c4zhTfmCgAOrdrTUGe
XZYFk8fmbxZuvSJLqQ4axFxOBkNsyBA3uru0rSCZzRzYoJ1GaLEHgCnJwVA+A6JG82a78iMjv
MUv1XFwshqFW00F+DkjxIkm2UbWwdfvGpLYWh3kXph7OqyI+MY8iJ/MHwjV4wdtoPH2kzyBRe
vyxx1RLbv1tkcUlIES57lk1Y0+NGc9h3sF4/RkS2mgFf1VMlvgM5XxM6dLYJI1b4/E8Zmu6Rz
U+VCRVrEqbb2DAjeWEugWeLw==
X-SPAM-LEVEL: Spam detection results: 0
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
DMARC_PASS -0.1 DMARC pass policy
FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider
RCVD_IN_DNSWL_LOW -0.7 Sender listed at https://www.dnswl.org/, low trust
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [setup.rs,config.pm,main.rs,utils.rs,install.pm,options.rs,answer.rs,proxmox.com]
X-Mailman-Approved-At: Thu, 18 Jul 2024 08:31:43 +0200
I have setup the new functionality according to the instructions from
[1] and [2], and tested various hashed and non-hashed passwords. The
only potential improvement would be to check if the provided hash is
valid because passing an invalid hash makes it rather impossible to
login after the installation. While it's not possible to fully verify
the validity of a hash, you could verify if it has the correct length
and only=C2=A0consists of hexadecimal characters (0-9, A-F).
Other than that it works great.
[1] https://wiki.intra.proxmox.com/index.php/Testing_Installer_Changes
[2] https://pve.proxmox.com/wiki/Automated_Installation
On 7/15/24 09:56, Christoph Heiss wrote:
> This series adds a new answer option `global.root_password_hashed`
> for the auto-installer, enabling administrators to specify the root
> password of the new installation in a hashed format - as generated by
> e.g. mkpasswd(1) - instead of plain-text.
>
> Administrators/users might want to avoid passing along a plain-text
> password with the different answer-fetching methods supported by the
> auto-installer, for obvious reasons.
>
> While this of course does not provide full security, sending a hashed
> password might still be preferred by administrators over plain text.
>
> Tested by installing using the GUI and TUI (to ensure no regressions
> can happen) and using the auto-installer, once with `root_password` set
> (again testing for potential regressions) and once with
> `global.root_password_hashed` set instead, testing the new
> functionality.
>
> First two patches are small cleanups and may be applied independently.
>
> v1: https://lists.proxmox.com/pipermail/pve-devel/2024-May/063949.html
>
> Notable changes v1 -> v2:
> * rebased on latest master
> * fixed rebase mistake
> * merged previous patch #4/#5 for consistency across crates
> * improved validation in auto-installer
>
> Christoph Heiss (6):
> common: move `PasswordOptions` type to tui crate
> tui-installer: remove `Debug` implementation for password options
> low-level: change root password option to contain either plaintext or
> hash
> {auto,tui}-installer: adapt to new `root_password` plain/hashed setup
> option
> auto-installer: add new `global.root_password_hashed` answer option
> auto-installer: add test for hashed root password option
>
> Proxmox/Install.pm | 25 ++++++++++++++++---
> Proxmox/Install/Config.pm | 20 ++++++++++++---
> proxinstall | 4 +--
> proxmox-auto-installer/src/answer.rs | 3 ++-
> proxmox-auto-installer/src/utils.rs | 21 ++++++++++++++--
> .../resources/parse_answer/disk_match.json | 2 +-
> .../parse_answer/disk_match_all.json | 2 +-
> .../parse_answer/disk_match_any.json | 2 +-
> .../parse_answer/hashed_root_password.json | 20 +++++++++++++++
> .../parse_answer/hashed_root_password.toml | 14 +++++++++++
> .../tests/resources/parse_answer/minimal.json | 2 +-
> .../resources/parse_answer/nic_matching.json | 2 +-
> .../resources/parse_answer/specific_nic.json | 2 +-
> .../tests/resources/parse_answer/zfs.json | 2 +-
> proxmox-installer-common/src/options.rs | 15 -----------
> proxmox-installer-common/src/setup.rs | 12 +++++++--
> proxmox-tui-installer/src/main.rs | 4 +--
> proxmox-tui-installer/src/options.rs | 20 ++++++++++++---
> proxmox-tui-installer/src/setup.rs | 10 ++++++--
> 19 files changed, 140 insertions(+), 42 deletions(-)
> create mode 100644 proxmox-auto-installer/tests/resources/parse_answer=
/hashed_root_password.json
> create mode 100644 proxmox-auto-installer/tests/resources/parse_answer=
/hashed_root_password.toml
>
--===============5125238795153882537==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
--===============5125238795153882537==--