|
 |
ac7d03 |
From 4106c7dcfc685580eeb0f2074872036cd5faaaae Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Abhijeet Kasurde <akasurde@redhat.com>
|
|
|
ac7d03 |
Date: Thu, 27 Apr 2017 16:23:41 +0530
|
|
|
ac7d03 |
Subject: [PATCH] Hide PKI Client database password in log file
|
|
|
ac7d03 |
|
|
|
ac7d03 |
This fix masks PKI client database password from showing
|
|
|
ac7d03 |
in CA/KRA installer log file
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Fixes https://pagure.io/freeipa/issue/6904
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipaserver/install/cainstance.py | 5 ++++-
|
|
|
ac7d03 |
ipaserver/install/krainstance.py | 9 ++++++---
|
|
|
ac7d03 |
2 files changed, 10 insertions(+), 4 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
ac7d03 |
index 0672bccf79d7cc6133fdb20f0854366306bfc2e0..84d60bfddc0fb968f31706e54e36557e9543846e 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/cainstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/cainstance.py
|
|
|
ac7d03 |
@@ -610,7 +610,10 @@ class CAInstance(DogtagInstance):
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
DogtagInstance.spawn_instance(
|
|
|
ac7d03 |
self, cfg_file,
|
|
|
ac7d03 |
- nolog_list=(self.dm_password, self.admin_password, pki_pin)
|
|
|
ac7d03 |
+ nolog_list=(self.dm_password,
|
|
|
ac7d03 |
+ self.admin_password,
|
|
|
ac7d03 |
+ pki_pin,
|
|
|
ac7d03 |
+ self.tmp_agent_pwd)
|
|
|
ac7d03 |
)
|
|
|
ac7d03 |
finally:
|
|
|
ac7d03 |
os.remove(cfg_file)
|
|
|
ac7d03 |
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
|
|
|
ac7d03 |
index fc25ac72b0dc593f06a8b070b67b5d54a0ab8bce..c39d6874a9d685f91b5d30ea1954320b8ee0c1ed 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/krainstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/krainstance.py
|
|
|
ac7d03 |
@@ -150,6 +150,7 @@ class KRAInstance(DogtagInstance):
|
|
|
ac7d03 |
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
|
|
|
ac7d03 |
self.tmp_agent_db = tempfile.mkdtemp(
|
|
|
ac7d03 |
prefix="tmp-", dir=paths.VAR_LIB_IPA)
|
|
|
ac7d03 |
+ tmp_agent_pwd = ipautil.ipa_generate_password()
|
|
|
ac7d03 |
|
|
|
ac7d03 |
# Create KRA configuration
|
|
|
ac7d03 |
config = ConfigParser()
|
|
|
ac7d03 |
@@ -173,8 +174,7 @@ class KRAInstance(DogtagInstance):
|
|
|
ac7d03 |
|
|
|
ac7d03 |
# Client security database
|
|
|
ac7d03 |
config.set("KRA", "pki_client_database_dir", self.tmp_agent_db)
|
|
|
ac7d03 |
- config.set("KRA", "pki_client_database_password",
|
|
|
ac7d03 |
- ipautil.ipa_generate_password())
|
|
|
ac7d03 |
+ config.set("KRA", "pki_client_database_password", tmp_agent_pwd)
|
|
|
ac7d03 |
config.set("KRA", "pki_client_database_purge", "True")
|
|
|
ac7d03 |
config.set("KRA", "pki_client_pkcs12_password", self.admin_password)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
@@ -283,7 +283,10 @@ class KRAInstance(DogtagInstance):
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
DogtagInstance.spawn_instance(
|
|
|
ac7d03 |
self, cfg_file,
|
|
|
ac7d03 |
- nolog_list=(self.dm_password, self.admin_password, pki_pin)
|
|
|
ac7d03 |
+ nolog_list=(self.dm_password,
|
|
|
ac7d03 |
+ self.admin_password,
|
|
|
ac7d03 |
+ pki_pin,
|
|
|
ac7d03 |
+ tmp_agent_pwd)
|
|
|
ac7d03 |
)
|
|
|
ac7d03 |
finally:
|
|
|
ac7d03 |
os.remove(p12_tmpfile_name)
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.12.2
|
|
|
ac7d03 |
|