Dne 2.6.2015 v 20:40 Simo Sorce napsal(a):
On Tue, 2015-06-02 at 07:07 -0500, Endi Sukma Dewata wrote:
On 6/2/2015 1:10 AM, Martin Kosek wrote:
Hi Endi,
Quickly skimming through your patches raised couple questions on my side:
1) Will it be possible to also store plain text password via Vault? It
talks about taking in the binary data or the text file, but will it also
work with plain user secrets (passwords)? I am talking about use like this:
# ipa vault-archive <name> --user mkosek --data Secret123
For security the plain text password should be stored in a file first:
# vi password.txt
# ipa vault-archive <name> --user mkosek --in password.txt
It's also possible to specify the password as base-64 encoded data:
# echo -n Secret123 | base64
# ipa vault-archive <name> --user mkosek --data U2VjcmV0MTIz
But it's not recommended since the data will be stored in the command
history and someone could see and decode it. I think passing a plain
text password as command line argument would be even worse. The --data
parameter is mainly used for unit testing.
Later we might be able to add an option to read from standard input:
# cat password.txt | ipa vault-archive <name> --user mkosek --std-in
Yes please, a way to pass in via stdin is extremely useful, as leaving
files on the filesystem is also a big risk.
This will not work well, it should use the normal prompting mechanism:
$ ipa vault-archive <name> --user <user>
Data: <type data here>
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
