URL: https://github.com/freeipa/freeipa/pull/740 Author: Akasurde Title: #740: [4.5]Hide PKI Client database password in log file Action: opened
PR body: """ This fix masks PKI client database password from showing in CA/KRA installer log file Fixes https://pagure.io/freeipa/issue/6904 Signed-off-by: Abhijeet Kasurde <akasu...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/740/head:pr740 git checkout pr740
From d7db3d43ce91652bed4759f16fd6cdc1acb35cbd Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde <akasu...@redhat.com> Date: Thu, 27 Apr 2017 16:23:41 +0530 Subject: [PATCH] [4.5]Hide PKI Client database password in log file This fix masks PKI client database password from showing in CA/KRA installer log file Fixes https://pagure.io/freeipa/issue/6904 Signed-off-by: Abhijeet Kasurde <akasu...@redhat.com> --- ipaserver/install/cainstance.py | 5 ++++- ipaserver/install/krainstance.py | 9 ++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 0672bcc..84d60bf 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -610,7 +610,10 @@ def __spawn_instance(self): try: DogtagInstance.spawn_instance( self, cfg_file, - nolog_list=(self.dm_password, self.admin_password, pki_pin) + nolog_list=(self.dm_password, + self.admin_password, + pki_pin, + self.tmp_agent_pwd) ) finally: os.remove(cfg_file) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index fc25ac7..c39d687 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -150,6 +150,7 @@ def __spawn_instance(self): os.chown(cfg_file, pent.pw_uid, pent.pw_gid) self.tmp_agent_db = tempfile.mkdtemp( prefix="tmp-", dir=paths.VAR_LIB_IPA) + tmp_agent_pwd = ipautil.ipa_generate_password() # Create KRA configuration config = ConfigParser() @@ -173,8 +174,7 @@ def __spawn_instance(self): # Client security database config.set("KRA", "pki_client_database_dir", self.tmp_agent_db) - config.set("KRA", "pki_client_database_password", - ipautil.ipa_generate_password()) + config.set("KRA", "pki_client_database_password", tmp_agent_pwd) config.set("KRA", "pki_client_database_purge", "True") config.set("KRA", "pki_client_pkcs12_password", self.admin_password) @@ -283,7 +283,10 @@ def __spawn_instance(self): try: DogtagInstance.spawn_instance( self, cfg_file, - nolog_list=(self.dm_password, self.admin_password, pki_pin) + nolog_list=(self.dm_password, + self.admin_password, + pki_pin, + tmp_agent_pwd) ) finally: os.remove(p12_tmpfile_name)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code