[Freeipa-devel] [PATCH] Encrypt replica file
Simo Sorce
ssorce at redhat.com
Tue Aug 12 13:44:37 UTC 2008
On Tue, 2008-08-12 at 12:28 +0200, Martin Nagy wrote:
> Simo Sorce wrote:
> > This patch encrypts the replica file so that even if the file is left
> > around it does not expose security relevant information.
> >
> > Unfortunately while testing I got an error down the patch after my patch
> > is concerned, setting up the replica fails with:
> >
> > [16/16]: configuring directory to start on boot
> > done configuring dirsrv.
> > creation of replica failed: {'info': 'Operation requires a secure
> > connection.\n', 'desc': 'Confidentiality required'}
> >
> >
> > I think this is unrelated to this patch but if you see anything that can
> > cause it let me know, this is why I am sending the patch for review even
> > if I could not successfully test a complete replication setup.
> >
> > Simo.
>
> Sorry that I didn't object sooner, but I'm strongly against adding the
> -p option:
> + parser.add_option("-p", "--password", dest="password",
> + help="Directory Manager (existing master) password")
>
> I know this is very convenient, but it is really insecure. Can we throw
> this option away?
You can propose a later patch that replaces it with another way to pipe
in the password (file, stdin, etc...)
For now I'd like to keep it, unless another method for non-interactive
installations is provided.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list