[Freeipa-devel] [PATCH] 376 Removed clear text passwords from KRA install log.
Endi Sukma Dewata
edewata at redhat.com
Fri Aug 21 23:46:37 UTC 2015
The ipa-kra-install tool has been modified to use password files
instead of clear text passwords when invoking pki tool such that
the passwords are no longer visible in ipaserver-kra-install.log.
https://fedorahosted.org/freeipa/ticket/5246
--
Endi S. Dewata
-------------- next part --------------
From 545de89d5b8992469335415d209b6f04be6918ed Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Sat, 22 Aug 2015 01:14:16 +0200
Subject: [PATCH] Removed clear text passwords from KRA install log.
The ipa-kra-install tool has been modified to use password files
instead of clear text passwords when invoking pki tool such that
the passwords are no longer visible in ipaserver-kra-install.log.
https://fedorahosted.org/freeipa/ticket/5246
---
ipaplatform/base/paths.py | 2 ++
ipaserver/install/krainstance.py | 16 ++++++++--------
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 0dd3c7fda3020264a1ace8f2d13557cfddf18c2d..5c8f25d6ef85fab2b9b30a660cd1c0360dbe9931 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -343,6 +343,8 @@ class BasePathNamespace(object):
SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
+ KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf"
+ KRA_PKCS12_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
LDIF2DB = '/usr/sbin/ldif2db'
DB2LDIF = '/usr/sbin/db2ldif'
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index fa50c3dec897d63b9d3522d196054163f7b3369a..e5cdbf5e7714603041e3f0156e87311994175b18 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -275,16 +275,16 @@ class KRAInstance(DogtagInstance):
# import CA certificate into temporary security database
args = ["/usr/bin/pki",
"-d", self.agent_db,
- "-c", self.admin_password,
+ "-C", paths.KRA_NSSDB_PASSWORD_FILE,
"client-cert-import",
"--pkcs12", paths.KRACERT_P12,
- "--pkcs12-password", self.admin_password]
+ "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
ipautil.run(args)
# trust CA certificate
args = ["/usr/bin/pki",
"-d", self.agent_db,
- "-c", self.admin_password,
+ "-C", paths.KRA_NSSDB_PASSWORD_FILE,
"client-cert-mod", "Certificate Authority - %s" % api.env.realm,
"--trust", "CT,c,"]
ipautil.run(args)
@@ -292,16 +292,16 @@ class KRAInstance(DogtagInstance):
# import Dogtag admin certificate into temporary security database
args = ["/usr/bin/pki",
"-d", self.agent_db,
- "-c", self.admin_password,
+ "-C", paths.KRA_NSSDB_PASSWORD_FILE,
"client-cert-import",
"--pkcs12", paths.DOGTAG_ADMIN_P12,
- "--pkcs12-password", self.admin_password]
+ "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
ipautil.run(args)
# as Dogtag admin, create ipakra user in KRA
args = ["/usr/bin/pki",
"-d", self.agent_db,
- "-c", self.admin_password,
+ "-C", paths.KRA_NSSDB_PASSWORD_FILE,
"-n", "ipa-ca-agent",
"kra-user-add", "ipakra",
"--fullName", "IPA KRA User"]
@@ -310,7 +310,7 @@ class KRAInstance(DogtagInstance):
# as Dogtag admin, add ipakra into KRA agents group
args = ["/usr/bin/pki",
"-d", self.agent_db,
- "-c", self.admin_password,
+ "-C", paths.KRA_NSSDB_PASSWORD_FILE,
"-n", "ipa-ca-agent",
"kra-user-membership-add", "ipakra", "Data Recovery Manager Agents"]
ipautil.run(args)
@@ -330,7 +330,7 @@ class KRAInstance(DogtagInstance):
# as Dogtag admin, upload and assign ipaCert to ipakra
args = ["/usr/bin/pki",
"-d", self.agent_db,
- "-c", self.admin_password,
+ "-C", paths.KRA_NSSDB_PASSWORD_FILE,
"-n", "ipa-ca-agent",
"kra-user-cert-add", "ipakra",
"--input", filename]
--
2.4.3
More information about the Freeipa-devel
mailing list