From 6d95ccb0f066e39c844d31341c65ddeff183f78f Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Fri, 20 Dec 2024 16:48:44 +0100 Subject: [PATCH] [#3398] Made 1234 the default secret/password --- doc/examples/ddns/template.json | 2 +- doc/examples/https/httpd2/kea-httpd2.conf | 4 +-- doc/examples/https/nginx/kea-nginx.conf | 4 +-- doc/examples/kea4/all-keys-netconf.json | 4 +-- doc/examples/kea4/all-keys.json | 4 +-- doc/examples/kea4/backends.json | 4 +-- doc/examples/kea4/config-backend.json | 2 +- doc/examples/kea4/hooks-radius.json | 4 +-- doc/examples/kea4/mysql-reservations.json | 2 +- doc/examples/kea4/pgsql-reservations.json | 2 +- doc/examples/kea6/all-keys-netconf.json | 4 +-- doc/examples/kea6/all-keys.json | 4 +-- doc/examples/kea6/backends.json | 4 +-- doc/examples/kea6/config-backend.json | 2 +- doc/examples/kea6/mysql-reservations.json | 2 +- doc/examples/kea6/pgsql-reservations.json | 2 +- doc/sphinx/arm/admin.rst | 4 +-- doc/sphinx/arm/dhcp4-srv.rst | 10 +++--- doc/sphinx/arm/dhcp6-srv.rst | 10 +++--- doc/sphinx/arm/ext-radius.rst | 6 ++-- doc/sphinx/arm/hooks-ha.rst | 8 ++--- doc/sphinx/arm/hooks-legal-log.rst | 8 ++--- src/bin/keactrl/kea-dhcp4.conf.pre | 2 +- src/bin/keactrl/kea-dhcp6.conf.pre | 2 +- src/lib/cc/Makefile.am | 2 ++ src/lib/cc/default_credentials.cc | 32 +++++++++++++++++ src/lib/cc/default_credentials.h | 42 +++++++++++++++++++++++ 27 files changed, 126 insertions(+), 50 deletions(-) create mode 100644 src/lib/cc/default_credentials.cc create mode 100644 src/lib/cc/default_credentials.h diff --git a/doc/examples/ddns/template.json b/doc/examples/ddns/template.json index c4da2508e5..cec9e3234b 100644 --- a/doc/examples/ddns/template.json +++ b/doc/examples/ddns/template.json @@ -91,7 +91,7 @@ // "digest-bits" : 256, // Minimum truncated length in bits. // Default 0 (means truncation is forbidden). -// "secret" : "" +// "secret" : "1234" (shared secret value) // } // , // { diff --git a/doc/examples/https/httpd2/kea-httpd2.conf b/doc/examples/https/httpd2/kea-httpd2.conf index b138673c59..f5c007078f 100644 --- a/doc/examples/https/httpd2/kea-httpd2.conf +++ b/doc/examples/https/httpd2/kea-httpd2.conf @@ -48,9 +48,9 @@ # openssl pkcs12 -export -in kea-client.crt -inkey kea-client.key \ # -out kea-client.p12 # -# If the password is kea, curl command becomes: +# If the password is 1234, curl command becomes: # -# curl -k --cert kea-client.p12:kea -X POST \ +# curl -k --cert kea-client.p12:1234 -X POST \ # -H Content-Type:application/json -d '{ "command": "list-commands" }' \ # https://kea.example.org/kea # diff --git a/doc/examples/https/nginx/kea-nginx.conf b/doc/examples/https/nginx/kea-nginx.conf index cdbd7b35c6..9817fe18de 100644 --- a/doc/examples/https/nginx/kea-nginx.conf +++ b/doc/examples/https/nginx/kea-nginx.conf @@ -48,9 +48,9 @@ # openssl pkcs12 -export -in kea-client.crt -inkey kea-client.key \ # -out kea-client.p12 # -# If the password is kea, curl command becomes: +# If the password is 1234, curl command becomes: # -# curl -k --cert kea-client.p12:kea -X POST \ +# curl -k --cert kea-client.p12:1234 -X POST \ # -H Content-Type:application/json -d '{ "command": "list-commands" }' \ # https://kea.example.org # diff --git a/doc/examples/kea4/all-keys-netconf.json b/doc/examples/kea4/all-keys-netconf.json index 528cc697b9..1b956edec8 100644 --- a/doc/examples/kea4/all-keys-netconf.json +++ b/doc/examples/kea4/all-keys-netconf.json @@ -361,7 +361,7 @@ "host": "localhost", // Database password. - "password": "keatest", + "password": "1234", // Port on which the database is available. "port": 3306, @@ -424,7 +424,7 @@ "host": "localhost", // Database password. - "password": "keatest", + "password": "1234", // Port on which the database is available. "port": 5432, diff --git a/doc/examples/kea4/all-keys.json b/doc/examples/kea4/all-keys.json index 3d28d78953..0582233e2c 100644 --- a/doc/examples/kea4/all-keys.json +++ b/doc/examples/kea4/all-keys.json @@ -483,7 +483,7 @@ "host": "localhost", // Database password. - "password": "keatest", + "password": "1234", // Port on which the database is available. "port": 3306, @@ -546,7 +546,7 @@ "host": "localhost", // Database password. - "password": "keatest", + "password": "1234", // Port on which the database is available. "port": 5432, diff --git a/doc/examples/kea4/backends.json b/doc/examples/kea4/backends.json index 86e716a788..e5abb16544 100644 --- a/doc/examples/kea4/backends.json +++ b/doc/examples/kea4/backends.json @@ -38,7 +38,7 @@ // "host": "localhost", // "port": 3306, // "user": "keatest", -// "password": "secret1", +// "password": "1234", // "reconnect-wait-time": 3000, // expressed in ms // "max-reconnect-tries": 3, // "on-fail": "stop-retry-exit", @@ -66,7 +66,7 @@ // "host": "localhost", // "port": 5432, // "user": "keatest", -// "password": "secret1", +// "password": "1234", // "reconnect-wait-time": 3000, // expressed in ms // "max-reconnect-tries": 3, // "on-fail": "stop-retry-exit", diff --git a/doc/examples/kea4/config-backend.json b/doc/examples/kea4/config-backend.json index ded603ad91..39267b2b60 100644 --- a/doc/examples/kea4/config-backend.json +++ b/doc/examples/kea4/config-backend.json @@ -38,7 +38,7 @@ "max-reconnect-tries": 3, "name": "kea", "user": "kea", - "password": "kea", + "password": "1234", "host": "localhost", "port": 3306 } diff --git a/doc/examples/kea4/hooks-radius.json b/doc/examples/kea4/hooks-radius.json index ba51f531f8..099517012e 100644 --- a/doc/examples/kea4/hooks-radius.json +++ b/doc/examples/kea4/hooks-radius.json @@ -173,7 +173,7 @@ // These are parameters for the first (and only) access server "name": "127.0.0.1", "port": 1812, - "secret": "secret" + "secret": "1234" } // Additional access servers could be specified here ], @@ -212,7 +212,7 @@ "servers": [ { "name": "127.0.0.1", "port": 1813, - "secret": "secret" + "secret": "1234" } ] } diff --git a/doc/examples/kea4/mysql-reservations.json b/doc/examples/kea4/mysql-reservations.json index 99cf078e68..26d9eee027 100644 --- a/doc/examples/kea4/mysql-reservations.json +++ b/doc/examples/kea4/mysql-reservations.json @@ -61,7 +61,7 @@ "max-reconnect-tries": 3, "name": "keatest", "user": "keatest", - "password": "keatest", + "password": "1234", "host": "localhost", "port": 3306, "trust-anchor": "my-ca", diff --git a/doc/examples/kea4/pgsql-reservations.json b/doc/examples/kea4/pgsql-reservations.json index 2f94a0fc07..94b1904192 100644 --- a/doc/examples/kea4/pgsql-reservations.json +++ b/doc/examples/kea4/pgsql-reservations.json @@ -63,7 +63,7 @@ "max-reconnect-tries": 3, "name": "keatest", "user": "keatest", - "password": "keatest", + "password": "1234", "host": "localhost" } ], diff --git a/doc/examples/kea6/all-keys-netconf.json b/doc/examples/kea6/all-keys-netconf.json index 8c716808c2..8f812e0f5b 100644 --- a/doc/examples/kea6/all-keys-netconf.json +++ b/doc/examples/kea6/all-keys-netconf.json @@ -303,7 +303,7 @@ "host": "localhost", // Database password. - "password": "keatest", + "password": "1234", // Port on which the database is available. "port": 3306, @@ -366,7 +366,7 @@ "host": "localhost", // Database password. - "password": "keatest", + "password": "1234", // Port on which the database is available. "port": 5432, diff --git a/doc/examples/kea6/all-keys.json b/doc/examples/kea6/all-keys.json index 2b93426b2b..bb6842ab49 100644 --- a/doc/examples/kea6/all-keys.json +++ b/doc/examples/kea6/all-keys.json @@ -425,7 +425,7 @@ "host": "localhost", // Database password. - "password": "keatest", + "password": "1234", // Port on which the database is available. "port": 3306, @@ -488,7 +488,7 @@ "host": "localhost", // Database password. - "password": "keatest", + "password": "1234", // Port on which the database is available. "port": 5432, diff --git a/doc/examples/kea6/backends.json b/doc/examples/kea6/backends.json index 31ab9697f1..097d37c394 100644 --- a/doc/examples/kea6/backends.json +++ b/doc/examples/kea6/backends.json @@ -38,7 +38,7 @@ // "host": "localhost", // "port": 3306, // "user": "keatest", -// "password": "secret1", +// "password": "1234", // "reconnect-wait-time": 3000, // expressed in ms // "max-reconnect-tries": 3, // "on-fail": "stop-retry-exit", @@ -66,7 +66,7 @@ // "host": "localhost", // "port": 5432, // "user": "keatest", -// "password": "secret1", +// "password": "1234", // "reconnect-wait-time": 3000, // expressed in ms // "max-reconnect-tries": 3, // "on-fail": "stop-retry-exit", diff --git a/doc/examples/kea6/config-backend.json b/doc/examples/kea6/config-backend.json index 5ec2efd036..2fc33b7927 100644 --- a/doc/examples/kea6/config-backend.json +++ b/doc/examples/kea6/config-backend.json @@ -38,7 +38,7 @@ "max-reconnect-tries": 3, "name": "kea", "user": "kea", - "password": "kea", + "password": "1234", "host": "localhost", "port": 3306 } diff --git a/doc/examples/kea6/mysql-reservations.json b/doc/examples/kea6/mysql-reservations.json index a6b09afe10..b83b9c003c 100644 --- a/doc/examples/kea6/mysql-reservations.json +++ b/doc/examples/kea6/mysql-reservations.json @@ -48,7 +48,7 @@ "max-reconnect-tries": 3, "name": "keatest", "user": "keatest", - "password": "keatest", + "password": "1234", "host": "localhost", "port": 3306, "readonly": true, diff --git a/doc/examples/kea6/pgsql-reservations.json b/doc/examples/kea6/pgsql-reservations.json index 0910f2f3c0..d2987caeeb 100644 --- a/doc/examples/kea6/pgsql-reservations.json +++ b/doc/examples/kea6/pgsql-reservations.json @@ -50,7 +50,7 @@ "max-reconnect-tries": 3, "name": "keatest", "user": "keatest", - "password": "keatest", + "password": "1234", "host": "localhost" } ], diff --git a/doc/sphinx/arm/admin.rst b/doc/sphinx/arm/admin.rst index 7acb070e22..8c1676ca6c 100644 --- a/doc/sphinx/arm/admin.rst +++ b/doc/sphinx/arm/admin.rst @@ -246,7 +246,7 @@ To create the database: .. code-block:: mysql - mysql> CREATE USER 'user-name'@'localhost' IDENTIFIED BY 'password'; + mysql> CREATE USER 'user-name'@'localhost' IDENTIFIED BY '1234'; mysql> GRANT ALL ON database-name.* TO 'user-name'@'localhost'; (``user-name`` and ``password`` are the user ID and password used to @@ -485,7 +485,7 @@ which the servers will access it. A number of steps are required: .. code-block:: psql - postgres=# CREATE USER user-name WITH PASSWORD 'password'; + postgres=# CREATE USER user-name WITH PASSWORD '1234'; CREATE ROLE postgres=# GRANT ALL PRIVILEGES ON DATABASE database-name TO user-name; GRANT diff --git a/doc/sphinx/arm/dhcp4-srv.rst b/doc/sphinx/arm/dhcp4-srv.rst index 868a5c99be..ff90fbbeb2 100644 --- a/doc/sphinx/arm/dhcp4-srv.rst +++ b/doc/sphinx/arm/dhcp4-srv.rst @@ -601,7 +601,7 @@ access the database should be set: "Dhcp4": { "lease-database": { "user": "user-name", - "password": "password", + "password": "1234", ... }, ... @@ -708,7 +708,7 @@ connection to MySQL: "type": "mysql", "name": "kea", "user": "kea", - "password": "secret123", + "password": "1234", "host": "localhost", "port": 3306 } @@ -858,7 +858,7 @@ access the database should be set: "Dhcp4": { "hosts-database": { "user": "user-name", - "password": "password", + "password": "1234", ... }, ... @@ -8532,7 +8532,7 @@ database: "type": "mysql", "name": "kea", "user": "kea", - "password": "kea", + "password": "1234", "host": "192.0.2.1", "port": 3302 } @@ -8563,7 +8563,7 @@ The following snippet illustrates the use of a PostgreSQL database: "type": "postgresql", "name": "kea", "user": "kea", - "password": "kea", + "password": "1234", "host": "192.0.2.1", "port": 3302 } diff --git a/doc/sphinx/arm/dhcp6-srv.rst b/doc/sphinx/arm/dhcp6-srv.rst index 70fe913bdb..6eebcd3f97 100644 --- a/doc/sphinx/arm/dhcp6-srv.rst +++ b/doc/sphinx/arm/dhcp6-srv.rst @@ -557,7 +557,7 @@ access the database should be set: "Dhcp6": { "lease-database": { "user": "user-name", - "password": "password", + "password": "1234", ... }, ... @@ -664,7 +664,7 @@ connection to MySQL: "type": "mysql", "name": "kea", "user": "kea", - "password": "secret123", + "password": "1234", "host": "localhost", "port": 3306 } @@ -814,7 +814,7 @@ access the database should be set: "Dhcp6": { "hosts-database": { "user": "user-name", - "password": "password", + "password": "1234", ... }, ... @@ -8273,7 +8273,7 @@ database: "type": "mysql", "name": "kea", "user": "kea", - "password": "kea", + "password": "1234", "host": "2001:db8:1::1", "port": 3302 } @@ -8304,7 +8304,7 @@ The following snippet illustrates the use of a PostgreSQL database: "type": "postgresql", "name": "kea", "user": "kea", - "password": "kea", + "password": "1234", "host": "2001:db8:1::1", "port": 3302 } diff --git a/doc/sphinx/arm/ext-radius.rst b/doc/sphinx/arm/ext-radius.rst index 90d73b9189..7e4d038a74 100644 --- a/doc/sphinx/arm/ext-radius.rst +++ b/doc/sphinx/arm/ext-radius.rst @@ -242,7 +242,7 @@ At the service level, three sections can be configured: The value ``0`` means no limit; ``64`` is a recommended setting. For example, to specify a single access server available on localhost -that uses ``"xyz123"`` as a secret, and tell Kea to send three additional +that uses ``"1234"`` as a secret, and tell Kea to send three additional attributes (``User-Password``, ``Connect-Info``, and ``Configuration-Token``), the following snippet could be used: @@ -261,7 +261,7 @@ the following snippet could be used: // These are parameters for the first (and only) access server "name": "127.0.0.1", "port": 1812, - "secret": "xyz123" + "secret": "1234" } // Additional access servers could be specified here. ], @@ -303,7 +303,7 @@ the following snippet could be used: // These are parameters for the first (and only) accounting server "name": "127.0.0.1", "port": 1813, - "secret": "sekret" + "secret": "1234" } // Additional accounting servers could be specified here. ] diff --git a/doc/sphinx/arm/hooks-ha.rst b/doc/sphinx/arm/hooks-ha.rst index 959c44596b..d6eb3a35f5 100644 --- a/doc/sphinx/arm/hooks-ha.rst +++ b/doc/sphinx/arm/hooks-ha.rst @@ -700,7 +700,7 @@ only difference that ``this-server-name`` should be set to "server2" and "url": "http://192.168.56.99:8000/", "role": "backup", "basic-auth-user": "foo", - "basic-auth-password": "bar", + "basic-auth-password": "1234", "auto-failover": false }] }] @@ -945,7 +945,7 @@ other words, if the query would normally be processed by ``server2`` but this server is not available, ``server1`` allocates the lease from the pool of "192.0.3.200 - 192.0.3.250". The Kea control agent in front of ``server3`` requires basic HTTP authentication, and authorizes the user ID "foo" with the -password "bar". +password "1234". .. note:: @@ -1096,7 +1096,7 @@ The following is an example configuration of the primary server in a "name": "server3", "url": "http://192.168.56.99:8000/", "basic-auth-user": "foo", - "basic-auth-password": "bar", + "basic-auth-password": "1234", "role": "backup", "auto-failover": false }] @@ -1175,7 +1175,7 @@ The following is an example configuration file for the primary server in a "name": "server3", "url": "http://192.168.56.99:8000/", "basic-auth-user": "foo", - "basic-auth-password": "bar", + "basic-auth-password": "1234", "role": "backup" }] }] diff --git a/doc/sphinx/arm/hooks-legal-log.rst b/doc/sphinx/arm/hooks-legal-log.rst index 1b2a3dd4bc..5da969d94d 100644 --- a/doc/sphinx/arm/hooks-legal-log.rst +++ b/doc/sphinx/arm/hooks-legal-log.rst @@ -240,7 +240,7 @@ Additional parameters for the database connection can be specified, e.g: "library": "/usr/local/lib/kea/hooks/libdhcp_legal_log.so", "parameters": { "name": "database-name", - "password": "passwd", + "password": "1234", "type": "mysql", "user": "user-name" } @@ -478,7 +478,7 @@ Examples: "library": "/usr/local/lib/kea/hooks/libdhcp_legal_log.so", "parameters": { "name": "database-name", - "password": "passwd", + "password": "1234", "type": "mysql", "user": "user-name", "request-parser-format": "'log entry' + 0x0a + 'same log entry'", @@ -803,7 +803,7 @@ Examples: "library": "/usr/local/lib/kea/hooks/libdhcp_legal_log.so", "parameters": { "name": "database-name", - "password": "passwd", + "password": "1234", "type": "mysql", "user": "user-name", "request-parser-format": "'log entry' + 0x0a + 'same log entry'", @@ -1061,7 +1061,7 @@ tools may be used, for example, to dump the logs table from a MYSQL database: :: - $ mysql --user keatest --password keatest -e "select * from logs;" + $ mysql --user keatest --password 1234 -e "select * from logs;" +---------------------+--------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------+----+ | timestamp | address | log | id | +---------------------+--------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------+----+ diff --git a/src/bin/keactrl/kea-dhcp4.conf.pre b/src/bin/keactrl/kea-dhcp4.conf.pre index 44f811b952..aced2a5261 100644 --- a/src/bin/keactrl/kea-dhcp4.conf.pre +++ b/src/bin/keactrl/kea-dhcp4.conf.pre @@ -73,7 +73,7 @@ // "type": "mysql", // "name": "kea", // "user": "kea", - // "password": "kea", + // "password": "1234", // "host": "localhost", // "port": 3306 // }, diff --git a/src/bin/keactrl/kea-dhcp6.conf.pre b/src/bin/keactrl/kea-dhcp6.conf.pre index d827b759b8..d043489b98 100644 --- a/src/bin/keactrl/kea-dhcp6.conf.pre +++ b/src/bin/keactrl/kea-dhcp6.conf.pre @@ -67,7 +67,7 @@ // "type": "mysql", // "name": "kea", // "user": "kea", - // "password": "kea", + // "password": "1234", // "host": "localhost", // "port": 3306 // }, diff --git a/src/lib/cc/Makefile.am b/src/lib/cc/Makefile.am index b3c1b5a858..085dddb978 100644 --- a/src/lib/cc/Makefile.am +++ b/src/lib/cc/Makefile.am @@ -10,6 +10,7 @@ libkea_cc_la_SOURCES += data.cc data.h libkea_cc_la_SOURCES += element_value.h libkea_cc_la_SOURCES += cfg_to_element.h dhcp_config_error.h libkea_cc_la_SOURCES += command_interpreter.cc command_interpreter.h +libkea_cc_la_SOURCES += default_credentials.cc default_credentials.h libkea_cc_la_SOURCES += json_feed.cc json_feed.h libkea_cc_la_SOURCES += server_tag.cc server_tag.h libkea_cc_la_SOURCES += simple_parser.cc simple_parser.h @@ -31,6 +32,7 @@ libkea_cc_include_HEADERS = \ cfg_to_element.h \ command_interpreter.h \ data.h \ + default_credentials.h \ dhcp_config_error.h \ element_value.h \ json_feed.h \ diff --git a/src/lib/cc/default_credentials.cc b/src/lib/cc/default_credentials.cc new file mode 100644 index 0000000000..327f072392 --- /dev/null +++ b/src/lib/cc/default_credentials.cc @@ -0,0 +1,32 @@ +// Copyright (C) 2024 Internet Systems Consortium, Inc. ("ISC") +// +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +#include +#include + +namespace isc { +namespace data { + +const std::list DefaultCredentials::DEFAULT_CREDENTIALS = { +#ifndef IGNORE_KEA_DEFAULT_CREDENTIALS + "1234", "*****" +#endif +#ifdef EXTRA_KEA_DEFAULT_CREDENTIALS + EXTRA_KEA_DEFAULT_CREDENTIALS +#endif +}; + +void DefaultCredentials::check(const std::string& value) { + for (auto const& cred : DEFAULT_CREDENTIALS) { + if (value == cred) { + isc_throw(DefaultCredential, + "illegal use of a default value as credential"); + } + } +} + +} // end of isc::dhcp namespace +} // end of isc namespace diff --git a/src/lib/cc/default_credentials.h b/src/lib/cc/default_credentials.h new file mode 100644 index 0000000000..ade6fa5689 --- /dev/null +++ b/src/lib/cc/default_credentials.h @@ -0,0 +1,42 @@ +// Copyright (C) 2024 Internet Systems Consortium, Inc. ("ISC") +// +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +#ifndef DEFAULT_CREDENTIALS_H +#define DEFAULT_CREDENTIALS_H + +#include +#include +#include + +namespace isc { +namespace data { + +/// @brief Exception thrown on attempt to use a default credential. +class DefaultCredential : public Exception { +public: + DefaultCredential(const char* file, size_t line, const char* what) : + isc::Exception(file, line, what) { } +}; + +/// @brief Base class for default credentials. +struct DefaultCredentials { + /// @brief Default credentials. + /// + /// @note Using a list as there are only two default credentials. + static const std::list DEFAULT_CREDENTIALS; + + /// @brief Check if the value is a default credential. + /// + /// @param value The value to check. + /// @throw DefaultCredential if the value is in default credentials. + static void check(const std::string& value); +}; + +} // end of isc::dhcp namespace +} // end of isc namespace + + +#endif // DEFAULT_CREDENTIALS_H