On 08/22/2015 08:17 AM, Alexander Bokovoy wrote:
On Fri, 21 Aug 2015, Endi Sukma Dewata wrote:
The ipa-kra-install tool has been modified to use password files
instead of clear text passwords when invoking pki tool such that
the passwords are no longer visible in ipaserver-kra-install.log.

https://fedorahosted.org/freeipa/ticket/5246

--
Endi S. Dewata

From 545de89d5b8992469335415d209b6f04be6918ed Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Sat, 22 Aug 2015 01:14:16 +0200
Subject: [PATCH] Removed clear text passwords from KRA install log.

The ipa-kra-install tool has been modified to use password files
instead of clear text passwords when invoking pki tool such that
the passwords are no longer visible in ipaserver-kra-install.log.

https://fedorahosted.org/freeipa/ticket/5246
---
ipaplatform/base/paths.py        |  2 ++
ipaserver/install/krainstance.py | 16 ++++++++--------
2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index
0dd3c7fda3020264a1ace8f2d13557cfddf18c2d..5c8f25d6ef85fab2b9b30a660cd1c0360dbe9931
100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -343,6 +343,8 @@ class BasePathNamespace(object):
    SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
    ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
    ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
+    KRA_NSSDB_PASSWORD_FILE =
"/root/.dogtag/pki-tomcat/kra/password.conf"
+    KRA_PKCS12_PASSWORD_FILE =
"/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
ACK.

Pushed to:
master: 8676364ae8260a5894b0b0c2af8e81b10aeaba6b
ipa-4-2: 4e474c5a20b91d4eed75f514f801b40f1f291e65


For the record, these files are created by pki-spawn early in the
creation of security databases for CA deployment. The second file isnt
created
if CA is deployed with HSM option (the databases are in hardware then) but
then the first one is created for HSM and thus both of them are in use.

We don't support deployment with HSM backend yet, but the code covers
both cases.

In future it would be good to actually source these values from
/etc/pki/default.cfg:

  pki_client_password_conf=%(pki_client_subsystem_dir)s/password.conf
  
pki_client_pkcs12_password_conf=%(pki_client_subsystem_dir)s/pkcs12_password.conf
but right now this would mean need to use dogtag's Python helpers from
pki.server.deployment.pkiparser.PKIConfigParser.read_pki_configuration_file()
to do
actual sourcing of the config file but right now PKIConfigParser use
assumes it is actually parsing the command line options/arguments before
using its methods:
from pki.server.deployment.pkiparser import PKIConfigParser
cfg = PKIConfigParser('IPA CA', '')
cfg.init_config()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
line 196, in init_config
    'pki_subsystem_type': config.pki_subsystem.lower(),
AttributeError: 'NoneType' object has no attribute 'lower'


--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to