[Freeipa-devel] [PATCH] 376 Removed clear text passwords from KRA install log.
Alexander Bokovoy
abokovoy at redhat.com
Sat Aug 22 06:17:48 UTC 2015
On Fri, 21 Aug 2015, Endi Sukma Dewata wrote:
>The ipa-kra-install tool has been modified to use password files
>instead of clear text passwords when invoking pki tool such that
>the passwords are no longer visible in ipaserver-kra-install.log.
>
>https://fedorahosted.org/freeipa/ticket/5246
>
>--
>Endi S. Dewata
>From 545de89d5b8992469335415d209b6f04be6918ed Mon Sep 17 00:00:00 2001
>From: "Endi S. Dewata" <edewata at redhat.com>
>Date: Sat, 22 Aug 2015 01:14:16 +0200
>Subject: [PATCH] Removed clear text passwords from KRA install log.
>
>The ipa-kra-install tool has been modified to use password files
>instead of clear text passwords when invoking pki tool such that
>the passwords are no longer visible in ipaserver-kra-install.log.
>
>https://fedorahosted.org/freeipa/ticket/5246
>---
> ipaplatform/base/paths.py | 2 ++
> ipaserver/install/krainstance.py | 16 ++++++++--------
> 2 files changed, 10 insertions(+), 8 deletions(-)
>
>diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
>index 0dd3c7fda3020264a1ace8f2d13557cfddf18c2d..5c8f25d6ef85fab2b9b30a660cd1c0360dbe9931 100644
>--- a/ipaplatform/base/paths.py
>+++ b/ipaplatform/base/paths.py
>@@ -343,6 +343,8 @@ class BasePathNamespace(object):
> SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
> ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
> ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
>+ KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf"
>+ KRA_PKCS12_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
ACK.
For the record, these files are created by pki-spawn early in the
creation of security databases for CA deployment. The second file isnt created
if CA is deployed with HSM option (the databases are in hardware then) but
then the first one is created for HSM and thus both of them are in use.
We don't support deployment with HSM backend yet, but the code covers
both cases.
In future it would be good to actually source these values from
/etc/pki/default.cfg:
pki_client_password_conf=%(pki_client_subsystem_dir)s/password.conf
pki_client_pkcs12_password_conf=%(pki_client_subsystem_dir)s/pkcs12_password.conf
but right now this would mean need to use dogtag's Python helpers from
pki.server.deployment.pkiparser.PKIConfigParser.read_pki_configuration_file() to do
actual sourcing of the config file but right now PKIConfigParser use
assumes it is actually parsing the command line options/arguments before
using its methods:
>>> from pki.server.deployment.pkiparser import PKIConfigParser
>>> cfg = PKIConfigParser('IPA CA', '')
>>> cfg.init_config()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
line 196, in init_config
'pki_subsystem_type': config.pki_subsystem.lower(),
AttributeError: 'NoneType' object has no attribute 'lower'
>>>
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list