Martin Kosek wrote:
On Thu, 2011-09-22 at 11:55 -0400, Rob Crittenden wrote:
Obfuscate the one-time password in the client installer log.
rob
NACK. You missed a case when OTP is interactively prompted (-W parameter
is passed).
Martin
Nice catch, updated patch
rob
From b0a9c855899dea0b6ebaa75543093d76d7c41129 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 22 Sep 2011 11:52:58 -0400
Subject: [PATCH] Don't log one-time password in logs when configuring client.
https://fedorahosted.org/freeipa/ticket/1801
---
ipa-client/ipa-install/ipa-client-install |9 +
1 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 44c2f5fbc40c9f3a6d5f4378d91e048b63bf0e7a..eab35674a40f309f59034d6962457b3f5a225d8b 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -23,17 +23,15 @@ try:
import sys
import os
-import stat
import time
import socket
import logging
import tempfile
import getpass
-import re
from ipaclient import ipadiscovery
import ipaclient.ipachangeconf
import ipaclient.ntpconf
-from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, install_file
+from ipapython.ipautil import run, user_input, CalledProcessError, file_exists
import ipapython.services as ipaservices
from ipapython import ipautil
from ipapython import dnsclient
@@ -888,6 +886,7 @@ def install(options, env, fstore, statestore):
return CLIENT_INSTALL_ERROR
if not options.on_master:
+nolog = tuple()
# First test out the kerberos configuration
try:
(krb_fd, krb_name) = tempfile.mkstemp()
@@ -929,9 +928,11 @@ def install(options, env, fstore, statestore):
print stdout
return CLIENT_INSTALL_ERROR
elif options.password:
+nolog = (options.password,)
join_args.append(-w)
join_args.append(options.password)
elif options.prompt_password:
+nolog = (options.password,)
if options.unattended:
print Password must be provided in non-interactive mode
return CLIENT_INSTALL_ERROR
@@ -940,7 +941,7 @@ def install(options, env, fstore, statestore):
join_args.append(password)
# Now join the domain
-(stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env)
+(stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env, nolog=nolog)
if returncode != 0:
print sys.stderr, Joining realm failed: %s % stderr,
--
1.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel