On Fri, 2013-03-22 at 09:19 +0100, Martin Kosek wrote: > On 03/21/2013 05:39 PM, Petr Viktorin wrote: > > [...] > > > > another thing: When drafting the feature page, I realized the > > --{http,dirsrv}_pin options are unfortunate. Giving the passwords in command > > line options is unsafe. > > > > I'd like to replace them with --{http,dirsrv}-pin-file, with prompting if > > they're not given. > > > > How is that different from -p DM_PASSWORD and -a ADMIN_PASSWORD? They also > cannot be read from file. I think these options would cause inconsistency with > the rest of our password options in ipa-{server,client,replica}-install. It > also seems as inconvenience to me as you need to prepare this artificial file > before running ipa-server-install... > > I think it would be better to address this consistently in the future with > configuration file instead of options, something like pkispawn uses.
Ack, I would defer securing the command line by introducing the ability to pass in a configuration file. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel