On 01/10/14 08:19, Les Stott wrote:
>
> Hi,
>
>  
>
> I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client.
>
>  
>
> I am working on doing an unattended ipa client installation. I have it
> working with the following….
>
>  
>
> /usr/sbin/ipa-client-install -p admin -w <admin_password> -U --no-ntp
>
>  
>
> While this works, while it runs, the <admin_password> value is visable
> in the output of a ps –ef command on the host when installing the ipa
> client.
>
>  
>
> # ps -ef |grep ipa
>
> root     30284 30283 43 03:31 ?        00:00:01 /usr/bin/python -E
> /usr/sbin/ipa-client-install -p admin -w <plain_text_password> -U --no-ntp
>
>  
>
> This represents a challenge to security, even though its only minor
> (as in its only there for a minute or so), but its still there and it
> is the admin password.
>
>  
>
> Can  ipa-client-install be updated to include a parameter to retrieve
> the admin password from a file? i.e.
>
>  
>
> /usr/bin/python -E /usr/sbin/ipa-client-install -p admin –from-file
> /tmp/credentials -U --no-ntp
>
>  
>
> That would then protect the admin password.
>
>  
>
> I am not familiar with python coding.
>
>  
>
> Thanks in advance,
>
>  
>
> Les
>
>
>
Hi Les,

in addition to the answers you have already received, you can create a
user with the 'host enrollment' permission only, so even if the
credentials are compromised the damage is minimized.

I am using this on 4.0.3 but looking at an older installation the same
seems available in 3.0 too.

Best Regards

Yiorgos
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to