[Freeipa-devel] [PATCH] 376 Removed clear text passwords from KRA install log.

Petr Vobornik pvoborni at redhat.com
Wed Aug 26 11:52:20 UTC 2015 

On 08/22/2015 08:17 AM, Alexander Bokovoy wrote:
> On Fri, 21 Aug 2015, Endi Sukma Dewata wrote:
>> The ipa-kra-install tool has been modified to use password files
>> instead of clear text passwords when invoking pki tool such that
>> the passwords are no longer visible in ipaserver-kra-install.log.
>>
>> https://fedorahosted.org/freeipa/ticket/5246
>>
>> --
>> Endi S. Dewata
>
>> From 545de89d5b8992469335415d209b6f04be6918ed Mon Sep 17 00:00:00 2001
>> From: "Endi S. Dewata" <edewata at redhat.com>
>> Date: Sat, 22 Aug 2015 01:14:16 +0200
>> Subject: [PATCH] Removed clear text passwords from KRA install log.
>>
>> The ipa-kra-install tool has been modified to use password files
>> instead of clear text passwords when invoking pki tool such that
>> the passwords are no longer visible in ipaserver-kra-install.log.
>>
>> https://fedorahosted.org/freeipa/ticket/5246
>> ---
>> ipaplatform/base/paths.py        |  2 ++
>> ipaserver/install/krainstance.py | 16 ++++++++--------
>> 2 files changed, 10 insertions(+), 8 deletions(-)
>>
>> diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
>> index
>> 0dd3c7fda3020264a1ace8f2d13557cfddf18c2d..5c8f25d6ef85fab2b9b30a660cd1c0360dbe9931
>> 100644
>> --- a/ipaplatform/base/paths.py
>> +++ b/ipaplatform/base/paths.py
>> @@ -343,6 +343,8 @@ class BasePathNamespace(object):
>>     SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
>>     ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
>>     ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
>> +    KRA_NSSDB_PASSWORD_FILE =
>> "/root/.dogtag/pki-tomcat/kra/password.conf"
>> +    KRA_PKCS12_PASSWORD_FILE =
>> "/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
> ACK.

Pushed to:
master: 8676364ae8260a5894b0b0c2af8e81b10aeaba6b
ipa-4-2: 4e474c5a20b91d4eed75f514f801b40f1f291e65

>
> For the record, these files are created by pki-spawn early in the
> creation of security databases for CA deployment. The second file isnt
> created
> if CA is deployed with HSM option (the databases are in hardware then) but
> then the first one is created for HSM and thus both of them are in use.
>
> We don't support deployment with HSM backend yet, but the code covers
> both cases.
>
> In future it would be good to actually source these values from
> /etc/pki/default.cfg:
>
>   pki_client_password_conf=%(pki_client_subsystem_dir)s/password.conf
>   pki_client_pkcs12_password_conf=%(pki_client_subsystem_dir)s/pkcs12_password.conf
> but right now this would mean need to use dogtag's Python helpers from
> pki.server.deployment.pkiparser.PKIConfigParser.read_pki_configuration_file()
> to do
> actual sourcing of the config file but right now PKIConfigParser use
> assumes it is actually parsing the command line options/arguments before
> using its methods:
>>>> from pki.server.deployment.pkiparser import PKIConfigParser
>>>> cfg = PKIConfigParser('IPA CA', '')
>>>> cfg.init_config()
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
>   File
> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
> line 196, in init_config
>     'pki_subsystem_type': config.pki_subsystem.lower(),
> AttributeError: 'NoneType' object has no attribute 'lower'
>>>>
>
-- 
Petr Vobornik

More information about the Freeipa-devel mailing list