Re: [Freeipa-devel] [PATCH] 881 don't log OTP in client install log

2011-09-23 Thread Martin Kosek 
On Thu, 2011-09-22 at 11:55 -0400, Rob Crittenden wrote:
 Obfuscate the one-time password in the client installer log.
 
 rob

NACK. You missed a case when OTP is interactively prompted (-W parameter
is passed).

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 881 don't log OTP in client install log

2011-09-23 Thread Rob Crittenden 

Martin Kosek wrote:

On Thu, 2011-09-22 at 11:55 -0400, Rob Crittenden wrote:

Obfuscate the one-time password in the client installer log.

rob


NACK. You missed a case when OTP is interactively prompted (-W parameter
is passed).

Martin



Nice catch, updated patch

rob
From b0a9c855899dea0b6ebaa75543093d76d7c41129 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 22 Sep 2011 11:52:58 -0400
Subject: [PATCH] Don't log one-time password in logs when configuring client.

https://fedorahosted.org/freeipa/ticket/1801
---
 ipa-client/ipa-install/ipa-client-install |9 +
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 44c2f5fbc40c9f3a6d5f4378d91e048b63bf0e7a..eab35674a40f309f59034d6962457b3f5a225d8b 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -23,17 +23,15 @@ try:
 import sys
 
 import os
-import stat
 import time
 import socket
 import logging
 import tempfile
 import getpass
-import re
 from ipaclient import ipadiscovery
 import ipaclient.ipachangeconf
 import ipaclient.ntpconf
-from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, install_file
+from ipapython.ipautil import run, user_input, CalledProcessError, file_exists
 import ipapython.services as ipaservices
 from ipapython import ipautil
 from ipapython import dnsclient
@@ -888,6 +886,7 @@ def install(options, env, fstore, statestore):
 return CLIENT_INSTALL_ERROR
 
 if not options.on_master:
+nolog = tuple()
 # First test out the kerberos configuration
 try:
 (krb_fd, krb_name) = tempfile.mkstemp()
@@ -929,9 +928,11 @@ def install(options, env, fstore, statestore):
 print stdout
 return CLIENT_INSTALL_ERROR
 elif options.password:
+nolog = (options.password,)
 join_args.append(-w)
 join_args.append(options.password)
 elif options.prompt_password:
+nolog = (options.password,)
 if options.unattended:
 print Password must be provided in non-interactive mode
 return CLIENT_INSTALL_ERROR
@@ -940,7 +941,7 @@ def install(options, env, fstore, statestore):
 join_args.append(password)
 
 # Now join the domain
-(stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env)
+(stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env, nolog=nolog)
 
 if returncode != 0:
 print sys.stderr, Joining realm failed: %s % stderr,
-- 
1.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 881 don't log OTP in client install log

2011-09-23 Thread Martin Kosek 
On Fri, 2011-09-23 at 09:07 -0400, Rob Crittenden wrote:
 Martin Kosek wrote:
  On Thu, 2011-09-22 at 11:55 -0400, Rob Crittenden wrote:
  Obfuscate the one-time password in the client installer log.
 
  rob
 
  NACK. You missed a case when OTP is interactively prompted (-W parameter
  is passed).
 
  Martin
 
 
 Nice catch, updated patch
 
 rob

Umh, nice try. I think you wanted to read nolog password from
getpass.getpass output and not options.password.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel