[node-patches] Change in ovirt-node[master]: enable strong RNG options on the security page
jboggs at redhat.com
jboggs at redhat.com
Tue Sep 11 17:17:39 UTC 2012
Joey Boggs has uploaded a new change for review.
Change subject: enable strong RNG options on the security page
......................................................................
enable strong RNG options on the security page
rhbz#829007
Change-Id: I0b96989b756a691668972d8e204cf8f152e53630
Signed-off-by: Joey Boggs <jboggs at redhat.com>
---
M recipe/common-post.ks
M scripts/ovirt-config-setup.py
M scripts/ovirtnode/ovirtfunctions.py
3 files changed, 65 insertions(+), 3 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/34/7934/1
diff --git a/recipe/common-post.ks b/recipe/common-post.ks
index 209475a..2b88508 100644
--- a/recipe/common-post.ks
+++ b/recipe/common-post.ks
@@ -254,3 +254,7 @@
#cleanup tmp directory from cim setup
rm -rf /tmp/cim_schema*
+
+# enable strong random number generation
+sed -i '/SSH_USE_STRONG_RNG/d' /etc/sysconfig/sshd
+echo "export SSH_USE_STRONG_RNG=12" >> /etc/profile
diff --git a/scripts/ovirt-config-setup.py b/scripts/ovirt-config-setup.py
index 7f9d324..c92571b 100755
--- a/scripts/ovirt-config-setup.py
+++ b/scripts/ovirt-config-setup.py
@@ -911,12 +911,30 @@
self.ssh_passwd_status = Checkbox("Enable ssh password authentication",
isOn=self.current_ssh_pwd_status)
elements.setField(self.ssh_passwd_status, 0, 1, anchorLeft=1)
+ rng_heading = Label("Strong Random Number Generator")
+ if is_console():
+ rng_heading.setColors(customColorset(1))
+ elements.setField(rng_heading, 0, 2, anchorLeft=1,
+ padding = (0, 1, 0, 0))
+
+ self.current_rng_bytes, self.current_aes_ni_status = rng_status()
+ rng_elements = Grid(2, 2)
+ rng_bit_elements = Grid(2, 1)
+ self.disable_aes_ni = Checkbox("Disable AES-NI",
+ isOn=self.current_aes_ni_status)
+ rng_elements.setField(self.disable_aes_ni, 0, 0, anchorLeft=1)
+ rng_bit_elements.setField(Label("Bytes Used: "), 0, 0, anchorLeft=1)
+ self.rng_bytes = Entry(3, scroll=0)
+ if self.current_rng_bytes > 0:
+ self.rng_bytes.set(self.current_rng_bytes)
+ rng_bit_elements.setField(self.rng_bytes, 1, 0, anchorLeft=1)
+ rng_elements.setField(rng_bit_elements, 0, 1, anchorLeft=1)
+ elements.setField(rng_elements, 0, 3, anchorLeft=1)
local_heading = Label("Local Access")
if is_console():
local_heading.setColors(customColorset(1))
- elements.setField(local_heading, 0, 3, anchorLeft=1,
- padding=(0, 2, 0, 0))
- elements.setField(Label(" "), 0, 6)
+ elements.setField(local_heading, 0, 4, anchorLeft=1,
+ padding=(0, 1, 0, 0))
pw_elements.setField(Label("Password: "), 0, 1, anchorLeft=1)
pw_elements.setField(Label("Confirm Password: "), 0, 2, anchorLeft=1)
self.root_password_1 = Entry(15, password=1)
@@ -1679,6 +1697,26 @@
def process_authentication_config(self):
self._create_warn_screen()
ssh_restart = False
+ profile_template = ""
+ if self.current_rng_bytes != self.rng_bytes.value():
+ self.rng_bytes = self.rng_bytes.value()
+ if not self.rng_bytes.isdigit():
+ ButtonChoiceWindow(self.screen, "Random Number Generator",
+ "Invalid Byte Entry", buttons=['Ok'])
+ return False
+ system_closefds("sed -i '/SSH_USE_STRONG_RNG/d' /etc/profile")
+ profile_template += "export SSH_USE_STRONG_RNG=%s\n" \
+ % self.rng_bytes
+ if self.current_aes_ni_status != self.disable_aes_ni.value():
+ system_closefds("sed -i '/OPENSSL_DISABLE_AES_NI/d' /etc/profile")
+ if self.disable_aes_ni.value() == 1:
+ profile_template += "export OPENSSL_DISABLE_AES_NI=1\n"
+ if len(profile_template) > 0:
+ f = open("/etc/profile", "a")
+ f.write(profile_template)
+ f.close()
+ ssh_restart = True
+ ovirt_store_config("/etc/profile")
if (self.root_password_1.value() != "" or
self.root_password_2.value() != ""):
if self.root_password_1.value() != self.root_password_2.value():
diff --git a/scripts/ovirtnode/ovirtfunctions.py b/scripts/ovirtnode/ovirtfunctions.py
index 9a85c44..db73ee9 100644
--- a/scripts/ovirtnode/ovirtfunctions.py
+++ b/scripts/ovirtnode/ovirtfunctions.py
@@ -894,6 +894,7 @@
# store keyboard config
ovirt_store_config("/etc/sysconfig/keyboard")
ovirt_store_config("/etc/vconsole.conf")
+ ovirt_store_config("/var/lib/random-seed")
return True
def is_valid_ipv4(ip_address):
@@ -1462,6 +1463,25 @@
link_status = link_status.stdout.read()
return ("yes" in link_status)
+def rng_status():
+ bit_value = 0
+ disable_aes_ni = 0
+ try:
+ f = open("/etc/profile")
+ for line in f:
+ try:
+ if "SSH_USE_STRONG_RNG" in line:
+ export , kv = line.split()
+ key, bit_value = kv.split("=")
+ elif "OPENSSL_DISABLE_AES_NI=" in line:
+ disable_aes_ni = 1
+ except:
+ pass
+ f.close()
+ except:
+ pass
+ return (bit_value, disable_aes_ni)
+
class PluginBase(object):
"""Base class for pluggable Hypervisor configuration options.
--
To view, visit http://gerrit.ovirt.org/7934
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I0b96989b756a691668972d8e204cf8f152e53630
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Joey Boggs <jboggs at redhat.com>
More information about the node-patches
mailing list