[Freeipa-devel] [PATCH] Password vault
Jan Cholasta
jcholast at redhat.com
Wed Jun 3 09:53:26 UTC 2015
Dne 2.6.2015 v 20:40 Simo Sorce napsal(a):
> On Tue, 2015-06-02 at 07:07 -0500, Endi Sukma Dewata wrote:
>> On 6/2/2015 1:10 AM, Martin Kosek wrote:
>>> Hi Endi,
>>>
>>> Quickly skimming through your patches raised couple questions on my side:
>>>
>>> 1) Will it be possible to also store plain text password via Vault? It
>>> talks about taking in the binary data or the text file, but will it also
>>> work with plain user secrets (passwords)? I am talking about use like this:
>>>
>>> # ipa vault-archive <name> --user mkosek --data Secret123
>>
>> For security the plain text password should be stored in a file first:
>>
>> # vi password.txt
>> # ipa vault-archive <name> --user mkosek --in password.txt
>>
>> It's also possible to specify the password as base-64 encoded data:
>>
>> # echo -n Secret123 | base64
>> # ipa vault-archive <name> --user mkosek --data U2VjcmV0MTIz
>>
>> But it's not recommended since the data will be stored in the command
>> history and someone could see and decode it. I think passing a plain
>> text password as command line argument would be even worse. The --data
>> parameter is mainly used for unit testing.
>>
>> Later we might be able to add an option to read from standard input:
>>
>> # cat password.txt | ipa vault-archive <name> --user mkosek --std-in
>
> Yes please, a way to pass in via stdin is extremely useful, as leaving
> files on the filesystem is also a big risk.
This will not work well, it should use the normal prompting mechanism:
$ ipa vault-archive <name> --user <user>
Data: <type data here>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list