On 10/01/2014 05:44 AM, Yiorgos Stamoulis wrote:
Or you can use OTPs. The OTPs were actually invented for exactly this
use case. You register host and generate OTP at that time. Then you pass
it to your enrollment script and it is used once.
On 01/10/14 08:19, Les Stott wrote:
I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client.
I am working on doing an unattended ipa client installation. I have
it working with the following....
/usr/sbin/ipa-client-install -p admin -w <admin_password> -U --no-ntp
While this works, while it runs, the <admin_password> value is
visable in the output of a ps --ef command on the host when
installing the ipa client.
# ps -ef |grep ipa
root 30284 30283 43 03:31 ? 00:00:01 /usr/bin/python -E
/usr/sbin/ipa-client-install -p admin -w <plain_text_password> -U
This represents a challenge to security, even though its only minor
(as in its only there for a minute or so), but its still there and it
is the admin password.
Can ipa-client-install be updated to include a parameter to retrieve
the admin password from a file? i.e.
/usr/bin/python -E /usr/sbin/ipa-client-install -p admin --from-file
/tmp/credentials -U --no-ntp
That would then protect the admin password.
I am not familiar with python coding.
Thanks in advance,
in addition to the answers you have already received, you can create a
user with the 'host enrollment' permission only, so even if the
credentials are compromised the damage is minimized.
I am using this on 4.0.3 but looking at an older installation the same
seems available in 3.0 too.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project