On Fri, 2013-03-22 at 09:19 +0100, Martin Kosek wrote:
> On 03/21/2013 05:39 PM, Petr Viktorin wrote:
> > [...]
> >
> > another thing: When drafting the feature page, I realized the
> > --{http,dirsrv}_pin options are unfortunate. Giving the passwords in command
> > line options is unsafe.
> >
> > I'd like to replace them with --{http,dirsrv}-pin-file, with prompting if
> > they're not given.
> >
>
> How is that different from -p DM_PASSWORD and -a ADMIN_PASSWORD? They also
> cannot be read from file. I think these options would cause inconsistency with
> the rest of our password options in ipa-{server,client,replica}-install. It
> also seems as inconvenience to me as you need to prepare this artificial file
> before running ipa-server-install...
>
> I think it would be better to address this consistently in the future with
> configuration file instead of options, something like pkispawn uses.
Ack, I would defer securing the command line by introducing the ability
to pass in a configuration file.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
