|
 |
e3ffab |
From e33a5c3b993e0111617e1c15bed374f6ce426b2d Mon Sep 17 00:00:00 2001
|
|
|
99b6f7 |
From: Martin Kosek <mkosek@redhat.com>
|
|
|
e3ffab |
Date: Fri, 5 Sep 2014 11:24:27 +0200
|
|
|
031d60 |
Subject: [PATCH] Hide pkinit functionality from production version
|
|
|
99b6f7 |
|
|
|
99b6f7 |
Rebased from original patch from Jan Zeleny and Rob Crittenden.
|
|
|
99b6f7 |
|
|
|
99b6f7 |
https://fedorahosted.org/freeipa/ticket/616
|
|
|
99b6f7 |
---
|
|
|
99b6f7 |
install/tools/ipa-replica-install | 5 +++--
|
|
|
e3ffab |
install/tools/ipa-server-install | 20 ++++----------------
|
|
|
e3ffab |
ipaserver/install/ipa_replica_prepare.py | 20 +++-----------------
|
|
|
e3ffab |
3 files changed, 10 insertions(+), 35 deletions(-)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
|
|
|
e3ffab |
index 75bbe981b96cf17950fe73d92d39ca3030f548f9..d3b520abf635ccc324b74bca31f241960a33d950 100755
|
|
|
99b6f7 |
--- a/install/tools/ipa-replica-install
|
|
|
99b6f7 |
+++ b/install/tools/ipa-replica-install
|
|
|
e3ffab |
@@ -97,8 +97,6 @@ def parse_options():
|
|
|
99b6f7 |
parser.add_option_group(basic_group)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
cert_group = OptionGroup(parser, "certificate system options")
|
|
|
99b6f7 |
- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
|
|
|
99b6f7 |
- default=True, help="disables pkinit setup steps")
|
|
|
99b6f7 |
cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
|
|
|
99b6f7 |
default=False, help="skip check for updated CA DS schema on the remote master")
|
|
|
99b6f7 |
parser.add_option_group(cert_group)
|
|
|
e3ffab |
@@ -126,6 +124,9 @@ def parse_options():
|
|
|
99b6f7 |
options, args = parser.parse_args()
|
|
|
99b6f7 |
safe_options = parser.get_safe_opts(options)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
+ # pkinit is disabled in production version
|
|
|
99b6f7 |
+ options.setup_pkinit = False
|
|
|
99b6f7 |
+
|
|
|
99b6f7 |
if len(args) != 1:
|
|
|
99b6f7 |
parser.error("you must provide a file generated by ipa-replica-prepare")
|
|
|
99b6f7 |
|
|
|
99b6f7 |
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
|
|
|
e3ffab |
index 0394314ee99817f221536136ae1432cc8e92220a..a5df3e9971a5ae128ebfa4c542dcad7cc3626276 100755
|
|
|
99b6f7 |
--- a/install/tools/ipa-server-install
|
|
|
99b6f7 |
+++ b/install/tools/ipa-server-install
|
|
|
e3ffab |
@@ -218,8 +218,6 @@ def parse_options():
|
|
|
e3ffab |
cert_group.add_option("--external_ca_file", dest="external_cert_files",
|
|
|
e3ffab |
action="append",
|
|
|
e3ffab |
help=SUPPRESS_HELP)
|
|
|
99b6f7 |
- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
|
|
|
99b6f7 |
- default=True, help="disables pkinit setup steps")
|
|
|
e3ffab |
cert_group.add_option("--dirsrv-cert-file", dest="dirsrv_cert_files",
|
|
|
e3ffab |
action="append", metavar="FILE",
|
|
|
e3ffab |
help="File containing the Directory Server SSL certificate and private key")
|
|
|
e3ffab |
@@ -232,12 +230,6 @@ def parse_options():
|
|
|
e3ffab |
cert_group.add_option("--http_pkcs12", dest="http_cert_files",
|
|
|
e3ffab |
action="append",
|
|
|
e3ffab |
help=SUPPRESS_HELP)
|
|
|
e3ffab |
- cert_group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
|
|
|
e3ffab |
- action="append", metavar="FILE",
|
|
|
e3ffab |
- help="File containing the Kerberos KDC SSL certificate and private key")
|
|
|
e3ffab |
- cert_group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
|
|
|
e3ffab |
- action="append",
|
|
|
e3ffab |
- help=SUPPRESS_HELP)
|
|
|
e3ffab |
cert_group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
|
|
|
e3ffab |
metavar="PIN",
|
|
|
e3ffab |
help="The password to unlock the Directory Server private key")
|
|
|
e3ffab |
@@ -248,20 +240,12 @@ def parse_options():
|
|
|
e3ffab |
help="The password to unlock the Apache Server private key")
|
|
|
99b6f7 |
cert_group.add_option("--http_pin", dest="http_pin", sensitive=True,
|
|
|
e3ffab |
help=SUPPRESS_HELP)
|
|
|
e3ffab |
- cert_group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
|
|
|
e3ffab |
- metavar="PIN",
|
|
|
e3ffab |
- help="The password to unlock the Kerberos KDC private key")
|
|
|
e3ffab |
- cert_group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
|
|
|
e3ffab |
- help=SUPPRESS_HELP)
|
|
|
e3ffab |
cert_group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
|
|
|
e3ffab |
metavar="NAME",
|
|
|
e3ffab |
help="Name of the Directory Server SSL certificate to install")
|
|
|
e3ffab |
cert_group.add_option("--http-cert-name", dest="http_cert_name",
|
|
|
e3ffab |
metavar="NAME",
|
|
|
e3ffab |
help="Name of the Apache Server SSL certificate to install")
|
|
|
e3ffab |
- cert_group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
|
|
|
e3ffab |
- metavar="NAME",
|
|
|
e3ffab |
- help="Name of the Kerberos KDC SSL certificate to install")
|
|
|
e3ffab |
cert_group.add_option("--ca-cert-file", dest="ca_cert_files",
|
|
|
e3ffab |
action="append", metavar="FILE",
|
|
|
e3ffab |
help="File containing CA certificates for the service certificate files")
|
|
|
e3ffab |
@@ -309,6 +293,10 @@ def parse_options():
|
|
|
99b6f7 |
options, args = parser.parse_args()
|
|
|
99b6f7 |
safe_options = parser.get_safe_opts(options)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
+ # pkinit is disabled in production version
|
|
|
99b6f7 |
+ options.pkinit_pin = False
|
|
|
e3ffab |
+ options.pkinit_cert_files = False
|
|
|
99b6f7 |
+
|
|
|
99b6f7 |
if options.dm_password is not None:
|
|
|
99b6f7 |
try:
|
|
|
99b6f7 |
validate_dm_password(options.dm_password)
|
|
|
99b6f7 |
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
|
|
|
e3ffab |
index 3762f32700aa899541883d3af72b160c4c42ba7c..1d34aa26b49be0c5df8e7d315a45cd6d180e6da9 100644
|
|
|
99b6f7 |
--- a/ipaserver/install/ipa_replica_prepare.py
|
|
|
99b6f7 |
+++ b/ipaserver/install/ipa_replica_prepare.py
|
|
|
e3ffab |
@@ -63,9 +63,6 @@ class ReplicaPrepare(admintool.AdminTool):
|
|
|
99b6f7 |
parser.add_option("--no-reverse", dest="no_reverse",
|
|
|
99b6f7 |
action="store_true", default=False,
|
|
|
99b6f7 |
help="do not create reverse DNS zone")
|
|
|
99b6f7 |
- parser.add_option("--no-pkinit", dest="setup_pkinit",
|
|
|
99b6f7 |
- action="store_false", default=True,
|
|
|
99b6f7 |
- help="disables pkinit setup steps")
|
|
|
e3ffab |
parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
|
|
|
99b6f7 |
metavar="FILE",
|
|
|
99b6f7 |
help="location of CA PKCS#12 file, default /root/cacert.p12")
|
|
|
e3ffab |
@@ -87,12 +84,6 @@ class ReplicaPrepare(admintool.AdminTool):
|
|
|
e3ffab |
group.add_option("--http_pkcs12", dest="http_cert_files",
|
|
|
e3ffab |
action="append",
|
|
|
e3ffab |
help=SUPPRESS_HELP)
|
|
|
e3ffab |
- group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
|
|
|
e3ffab |
- action="append", metavar="FILE",
|
|
|
e3ffab |
- help="File containing the Kerberos KDC SSL certificate and private key")
|
|
|
e3ffab |
- group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
|
|
|
e3ffab |
- action="append",
|
|
|
e3ffab |
- help=SUPPRESS_HELP)
|
|
|
e3ffab |
group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
|
|
|
e3ffab |
metavar="PIN",
|
|
|
e3ffab |
help="The password to unlock the Directory Server private key")
|
|
|
e3ffab |
@@ -103,20 +94,12 @@ class ReplicaPrepare(admintool.AdminTool):
|
|
|
e3ffab |
help="The password to unlock the Apache Server private key")
|
|
|
e3ffab |
group.add_option("--http_pin", dest="http_pin", sensitive=True,
|
|
|
e3ffab |
help=SUPPRESS_HELP)
|
|
|
e3ffab |
- group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
|
|
|
e3ffab |
- metavar="PIN",
|
|
|
e3ffab |
- help="The password to unlock the Kerberos KDC private key")
|
|
|
e3ffab |
- group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
|
|
|
e3ffab |
- help=SUPPRESS_HELP)
|
|
|
e3ffab |
group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
|
|
|
e3ffab |
metavar="NAME",
|
|
|
e3ffab |
help="Name of the Directory Server SSL certificate to install")
|
|
|
e3ffab |
group.add_option("--http-cert-name", dest="http_cert_name",
|
|
|
e3ffab |
metavar="NAME",
|
|
|
e3ffab |
help="Name of the Apache Server SSL certificate to install")
|
|
|
e3ffab |
- group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
|
|
|
e3ffab |
- metavar="NAME",
|
|
|
e3ffab |
- help="Name of the Kerberos KDC SSL certificate to install")
|
|
|
99b6f7 |
parser.add_option_group(group)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
def validate_options(self):
|
|
|
e3ffab |
@@ -136,7 +119,10 @@ class ReplicaPrepare(admintool.AdminTool):
|
|
|
99b6f7 |
"option together with --no-reverse")
|
|
|
99b6f7 |
|
|
|
99b6f7 |
#Automatically disable pkinit w/ dogtag until that is supported
|
|
|
99b6f7 |
+ # pkinit is disabled in production version
|
|
|
99b6f7 |
options.setup_pkinit = False
|
|
|
99b6f7 |
+ options.pkinit_pin = False
|
|
|
e3ffab |
+ options.pkinit_cert_files = False
|
|
|
99b6f7 |
|
|
|
99b6f7 |
# If any of the PKCS#12 options are selected, all are required.
|
|
|
e3ffab |
cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
|
|
|
99b6f7 |
--
|
|
|
031d60 |
1.9.3
|
|
|
99b6f7 |
|