<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/01/2014 05:44 AM, Yiorgos
Stamoulis wrote:<br>
</div>
<blockquote cite="mid:38655c79.DSq.Fz0.cS.11asNmAIf7@mailjet.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<div class="moz-cite-prefix">On 01/10/14 08:19, Les Stott wrote:<br>
</div>
<blockquote
cite="mid:4ED173A868981548967B4FCA2707222627FE845C@AACMBXP04.exchserver.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am using freeipa in a rhel6 environment
with ipa-3.0.0-37.el6 client.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am working on doing an unattended ipa
client installation. I have it working with the following….<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">/usr/sbin/ipa-client-install -p admin -w
<admin_password> -U --no-ntp<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">While this works, while it runs, the
<admin_password> value is visable in the output of a
ps –ef command on the host when installing the ipa client.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># ps -ef |grep ipa<o:p></o:p></p>
<p class="MsoNormal">root 30284 30283 43 03:31 ?
00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p
admin -w <plain_text_password> -U --no-ntp<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This represents a challenge to security,
even though its only minor (as in its only there for a
minute or so), but its still there and it is the admin
password.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Can ipa-client-install be updated to
include a parameter to retrieve the admin password from a
file? i.e.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">/usr/bin/python -E
/usr/sbin/ipa-client-install -p admin –from-file
/tmp/credentials -U --no-ntp<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">That would then protect the admin
password.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am not familiar with python coding.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks in advance,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Les<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Hi Les,<br>
<br>
in addition to the answers you have already received, you can
create a user with the 'host enrollment' permission only, so even
if the credentials are compromised the damage is minimized.<br>
<br>
I am using this on 4.0.3 but looking at an older installation the
same seems available in 3.0 too.<br>
<br>
Best Regards<br>
<br>
Yiorgos <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Or you can use OTPs. The OTPs were actually invented for exactly
this use case. You register host and generate OTP at that time. Then
you pass it to your enrollment script and it is used once.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>