https://fedorahosted.org/freeipa/ticket/1948
Honza
--
Jan Cholasta
>From aa87082562cfa6482bfc30c2f937e3adf947855a Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 11 Oct 2011 18:44:33 +0200
Subject: [PATCH] Don't leak passwords through kdb5_ldap_util command line
arguments.
ticket 1948
---
ipaserver/install/krbinstance.py | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 513dc55..40d2e83 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -336,9 +336,17 @@ class KrbInstance(service.Service):
if not replica:
#populate the directory with the realm structure
- args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
+ args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "create", "-s", "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
+ dialogue = (
+ # Password for "uid=kdc,cn=sysaccounts,cn=etc,...":
+ self.kdc_password + '\n',
+ # Enter KDC database master key:
+ self.master_password + '\n',
+ # Re-enter KDC database master key to verify:
+ self.master_password + '\n',
+ )
try:
- ipautil.run(args, nolog=(self.kdc_password, self.master_password))
+ ipautil.run(args, nolog=(self.kdc_password, self.master_password), stdin=''.join(dialogue))
except ipautil.CalledProcessError, e:
print "Failed to populate the realm structure in kerberos", e
--
1.7.7
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
