Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file?
FYI... I used OTP for this. Works a treat! Thanks again Dmitri. Regards, Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Thursday, 2 October 2014 8:21 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file? Thanks to Dmitri, Petr, Tamas and Yiorgos for all your suggestions. I will try them out today. Regards, Les From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Thursday, 2 October 2014 3:09 AM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file? On 10/01/2014 05:44 AM, Yiorgos Stamoulis wrote: On 01/10/14 08:19, Les Stott wrote: Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps -ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ?00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -from-file /tmp/credentials -U --no-ntp That would then protect the admin password. I am not familiar with python coding. Thanks in advance, Les Hi Les, in addition to the answers you have already received, you can create a user with the 'host enrollment' permission only, so even if the credentials are compromised the damage is minimized. I am using this on 4.0.3 but looking at an older installation the same seems available in 3.0 too. Best Regards Yiorgos Or you can use OTPs. The OTPs were actually invented for exactly this use case. You register host and generate OTP at that time. Then you pass it to your enrollment script and it is used once. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] can ipa-client-install be updated to call username/password from a file?
Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps -ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ?00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -from-file /tmp/credentials -U --no-ntp That would then protect the admin password. I am not familiar with python coding. Thanks in advance, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file?
On 10/01/2014 10:19 AM, Les Stott wrote: Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following…. /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps –ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ? 00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. Try it with '-W pwfile'. t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file?
On 01/10/14 08:19, Les Stott wrote: Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following…. /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps –ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ?00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. /usr/bin/python -E /usr/sbin/ipa-client-install -p admin –from-file /tmp/credentials -U --no-ntp That would then protect the admin password. I am not familiar with python coding. Thanks in advance, Les Hi Les, in addition to the answers you have already received, you can create a user with the 'host enrollment' permission only, so even if the credentials are compromised the damage is minimized. I am using this on 4.0.3 but looking at an older installation the same seems available in 3.0 too. Best Regards Yiorgos -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file?
On 10/01/2014 05:44 AM, Yiorgos Stamoulis wrote: On 01/10/14 08:19, Les Stott wrote: Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps --ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ? 00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. /usr/bin/python -E /usr/sbin/ipa-client-install -p admin --from-file /tmp/credentials -U --no-ntp That would then protect the admin password. I am not familiar with python coding. Thanks in advance, Les Hi Les, in addition to the answers you have already received, you can create a user with the 'host enrollment' permission only, so even if the credentials are compromised the damage is minimized. I am using this on 4.0.3 but looking at an older installation the same seems available in 3.0 too. Best Regards Yiorgos Or you can use OTPs. The OTPs were actually invented for exactly this use case. You register host and generate OTP at that time. Then you pass it to your enrollment script and it is used once. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file?
Thanks to Dmitri, Petr, Tamas and Yiorgos for all your suggestions. I will try them out today. Regards, Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Thursday, 2 October 2014 3:09 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file? On 10/01/2014 05:44 AM, Yiorgos Stamoulis wrote: On 01/10/14 08:19, Les Stott wrote: Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps -ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ?00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -from-file /tmp/credentials -U --no-ntp That would then protect the admin password. I am not familiar with python coding. Thanks in advance, Les Hi Les, in addition to the answers you have already received, you can create a user with the 'host enrollment' permission only, so even if the credentials are compromised the damage is minimized. I am using this on 4.0.3 but looking at an older installation the same seems available in 3.0 too. Best Regards Yiorgos Or you can use OTPs. The OTPs were actually invented for exactly this use case. You register host and generate OTP at that time. Then you pass it to your enrollment script and it is used once. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
