public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Stefan Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 11/12] auth/manager: add manager command to upgrade hashes
Date: Thu, 15 Feb 2024 16:20:00 +0100	[thread overview]
Message-ID: <20240215152001.269490-12-s.sterz@proxmox.com> (raw)
In-Reply-To: <20240215152001.269490-1-s.sterz@proxmox.com>

this uses proxmox-sys' `upgrade_hash` function to upgrade all stored
hashes that don't already use the latest hash. this allows admins to
upgrade their user's password hashes even if the user's don't log in.

however, as this requires a newer version of proxmox-sys'
`verify_crypt_pw` function to work, make this a command that admin's
can optional perform instead of automatically upgrading all hashes.
admins can reset their users password to avoid issues when
downgrading pbs or similar to work around potential issues here, but
doing this automatically may cause problems.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
note that once an admin has upgraded a hash, downgrading
proxmox-backup-server will break logging in for all users with upgraded
passwords. an admin would then need to manually reset the password via
`proxmox-backup-manager user update <user> --password <pw>`.

 src/auth_helpers.rs                    | 38 +++++++++++++++++++++++++-
 src/bin/proxmox_backup_manager/user.rs | 34 ++++++++++++++++++++++-
 2 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/src/auth_helpers.rs b/src/auth_helpers.rs
index 1a483d84..375ce190 100644
--- a/src/auth_helpers.rs
+++ b/src/auth_helpers.rs
@@ -1,7 +1,8 @@
+use std::collections::HashMap;
 use std::path::PathBuf;
 use std::sync::OnceLock;

-use anyhow::Error;
+use anyhow::{format_err, Error};
 use lazy_static::lazy_static;
 use openssl::pkey::{PKey, Private, Public};
 use openssl::rsa::Rsa;
@@ -16,6 +17,41 @@ use serde_json::json;
 pub use crate::auth::setup_auth_context;
 pub use proxmox_auth_api::api::assemble_csrf_prevention_token;

+pub fn upgrade_password_hashes() -> Result<(), Error> {
+    let data =
+        proxmox_sys::fs::file_get_json(crate::auth::SHADOW_CONFIG_FILENAME, Some(json!({})))?;
+    let mut new = HashMap::new();
+
+    for (username, password) in data
+        .as_object()
+        .ok_or_else(|| format_err!("shadow file has an unexpected format!"))?
+    {
+        let upgraded_password = proxmox_sys::crypt::upgrade_hash(
+            password
+                .as_str()
+                .ok_or_else(|| format_err!("user without password found!"))?,
+        )?;
+
+        new.insert(username.as_str(), upgraded_password);
+    }
+
+    let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
+    let options = proxmox_sys::fs::CreateOptions::new()
+        .perm(mode)
+        .owner(nix::unistd::ROOT)
+        .group(nix::unistd::Gid::from_raw(0));
+
+    let new_data = serde_json::to_vec_pretty(&new)?;
+    proxmox_sys::fs::replace_file(
+        crate::auth::SHADOW_CONFIG_FILENAME,
+        &new_data,
+        options,
+        true,
+    )?;
+
+    Ok(())
+}
+
 pub fn generate_csrf_key() -> Result<(), Error> {
     let path = PathBuf::from(configdir!("/csrf.key"));

diff --git a/src/bin/proxmox_backup_manager/user.rs b/src/bin/proxmox_backup_manager/user.rs
index 743c5d16..2daf2db7 100644
--- a/src/bin/proxmox_backup_manager/user.rs
+++ b/src/bin/proxmox_backup_manager/user.rs
@@ -1,7 +1,9 @@
-use anyhow::Error;
+use anyhow::{bail, Error};
 use serde_json::Value;

 use std::collections::HashMap;
+use std::io::IsTerminal;
+use std::io::Write;

 use proxmox_router::{cli::*, ApiHandler, RpcEnvironment};
 use proxmox_schema::api;
@@ -65,6 +67,32 @@ fn list_users(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<Value, Er
     Ok(Value::Null)
 }

+#[api]
+/// Updates the hashes of all users that don't use the current hashing method to the current
+/// hashing method. This is a stop-gap meassure to avoid keeping insecure hashes when migrating
+/// between password hash function.
+fn update_password_hashes() -> Result<(), Error> {
+    // If we're on a TTY, query the user
+    if std::io::stdin().is_terminal() {
+        println!("You are about to update all password hashes that are managed by Proxmox Backup Server!");
+        print!("Are you sure you want to continue? (y/N): ");
+        let _ = std::io::stdout().flush();
+        use std::io::{BufRead, BufReader};
+        let mut line = String::new();
+        match BufReader::new(std::io::stdin()).read_line(&mut line) {
+            Ok(_) => match line.trim() {
+                "y" | "Y" => (), // continue
+                _ => bail!("Aborting."),
+            },
+            Err(err) => bail!("Failed to read line - {err}."),
+        }
+    }
+
+    proxmox_backup::auth_helpers::upgrade_password_hashes()?;
+
+    Ok(())
+}
+
 #[api(
     input: {
         properties: {
@@ -194,6 +222,10 @@ fn list_user_tfa(param: Value, rpcenv: &mut dyn RpcEnvironment) -> Result<Value,
 pub fn user_commands() -> CommandLineInterface {
     let cmd_def = CliCommandMap::new()
         .insert("list", CliCommand::new(&API_METHOD_LIST_USERS))
+        .insert(
+            "update-hashes",
+            CliCommand::new(&API_METHOD_UPDATE_PASSWORD_HASHES),
+        )
         .insert(
             "create",
             // fixme: howto handle password parameter?
--
2.39.2





  parent reply	other threads:[~2024-02-15 15:20 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-15 15:19 [pbs-devel] [PATCH proxmox{, -backup} 00/12] authentication cleanup and Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 01/12] auth-api: move signing into the private key Stefan Sterz
2024-02-26 20:22   ` Esi Y
2024-02-27  9:12     ` Stefan Sterz
2024-02-27 18:13       ` Esi Y
2024-02-29 16:07         ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 02/12] auth-api: move to Ed25519 signatures Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 03/12] auth-api: add ability to use hmac singing in keyring Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 04/12] auth-api: move to hmac signing for csrf tokens Stefan Sterz
2024-02-19 16:02   ` Max Carrara
2024-02-20 12:54     ` Max Carrara
2024-02-23  9:26       ` Stefan Sterz
2024-02-23 10:48         ` Thomas Lamprecht
2024-02-23 10:52           ` Stefan Sterz
2024-02-23 13:06         ` Wolfgang Bumiller
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 05/12] sys: crypt: move to yescrypt for password hashing Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 06/12] sys: crypt: use constant time comparison for password verification Stefan Sterz
2024-02-19 16:11   ` Max Carrara
2024-02-23  9:26     ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 07/12] sys: crypt: add helper to allow upgrading hashes Stefan Sterz
2024-02-19 18:50   ` Max Carrara
2024-02-23  9:26     ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 08/12] auth-api: fix types `compilefail` test Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox-backup 09/12] auth: move to hmac keys for csrf tokens Stefan Sterz
2024-02-19 18:55   ` Max Carrara
2024-02-23  9:26     ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox-backup 10/12] auth: upgrade hashes on user log in Stefan Sterz
2024-02-19 18:58   ` Max Carrara
2024-02-23  9:26     ` Stefan Sterz
2024-02-15 15:20 ` Stefan Sterz [this message]
2024-02-19 19:06   ` [pbs-devel] [PATCH proxmox-backup 11/12] auth/manager: add manager command to upgrade hashes Max Carrara
2024-02-23  9:26     ` Stefan Sterz
2024-02-15 15:20 ` [pbs-devel] [PATCH proxmox-backup 12/12] auth: us ec keys as auth keys Stefan Sterz
2024-02-19 19:10   ` Max Carrara
2024-02-23  9:26     ` Stefan Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240215152001.269490-12-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal