rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   69f9f3454df6eac56e77a3041fbfc161d92d4f66
  2.   SOURCES
  3.   1001-Hide-pkinit-functionality-from-production-version.patch
Blob History Raw
031d60 
From ebaad372cdeb941af1a390f81c8a4d90ea128f9f Mon Sep 17 00:00:00 2001
99b6f7 
From: Martin Kosek <mkosek@redhat.com>
031d60 
Date: Thu, 14 Aug 2014 13:34:13 +0200
031d60 
Subject: [PATCH] Hide pkinit functionality from production version
99b6f7
99b6f7 
Rebased from original patch from Jan Zeleny and Rob Crittenden.
99b6f7
99b6f7 
https://fedorahosted.org/freeipa/ticket/616
99b6f7 
---
99b6f7 
 install/tools/ipa-replica-install        |  5 +++--
99b6f7 
 install/tools/ipa-server-install         | 10 ++++------
99b6f7 
 ipaserver/install/ipa_replica_prepare.py | 11 +++--------
99b6f7 
 3 files changed, 10 insertions(+), 16 deletions(-)
99b6f7
99b6f7 
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
031d60 
index 4418b41784313121e73b560ee84715ddeba8bc54..ff4cd70147abb2dc6e0486155fb179d4fb1b29e9 100755
99b6f7 
--- a/install/tools/ipa-replica-install
99b6f7 
+++ b/install/tools/ipa-replica-install
031d60 
@@ -95,8 +95,6 @@ def parse_options():
99b6f7 
     parser.add_option_group(basic_group)
99b6f7
99b6f7 
     cert_group = OptionGroup(parser, "certificate system options")
99b6f7 
-    cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
99b6f7 
-                      default=True, help="disables pkinit setup steps")
99b6f7 
     cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
99b6f7 
                       default=False, help="skip check for updated CA DS schema on the remote master")
99b6f7 
     parser.add_option_group(cert_group)
031d60 
@@ -121,6 +119,9 @@ def parse_options():
99b6f7 
     options, args = parser.parse_args()
99b6f7 
     safe_options = parser.get_safe_opts(options)
99b6f7
99b6f7 
+    # pkinit is disabled in production version
99b6f7 
+    options.setup_pkinit = False
99b6f7 
+
99b6f7 
     if len(args) != 1:
99b6f7 
         parser.error("you must provide a file generated by ipa-replica-prepare")
99b6f7
99b6f7 
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
031d60 
index feea616b089261bf46392d5514e6e3cc9e12fcac..5bd22bf18f2b00e26d674b6cbbf81989b4a030cb 100755
99b6f7 
--- a/install/tools/ipa-server-install
99b6f7 
+++ b/install/tools/ipa-server-install
031d60 
@@ -179,20 +179,14 @@ def parse_options():
031d60 
                       help="File containing the IPA CA certificate signed by the external CA in PEM format")
99b6f7 
     cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
031d60 
                       help="File containing the external CA certificate chain in PEM format")
99b6f7 
-    cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
99b6f7 
-                      default=True, help="disables pkinit setup steps")
99b6f7 
     cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
99b6f7 
                       help="PKCS#12 file containing the Directory Server SSL certificate")
99b6f7 
     cert_group.add_option("--http_pkcs12", dest="http_pkcs12",
99b6f7 
                       help="PKCS#12 file containing the Apache Server SSL certificate")
99b6f7 
-    cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
99b6f7 
-                      help="PKCS#12 file containing the Kerberos KDC SSL certificate")
99b6f7 
     cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True,
99b6f7 
                       help="The password of the Directory Server PKCS#12 file")
99b6f7 
     cert_group.add_option("--http_pin", dest="http_pin", sensitive=True,
99b6f7 
                       help="The password of the Apache Server PKCS#12 file")
99b6f7 
-    cert_group.add_option("--pkinit_pin", dest="pkinit_pin",
99b6f7 
-                      help="The password of the Kerberos KDC PKCS#12 file")
99b6f7 
     cert_group.add_option("--root-ca-file", dest="root_ca_file",
99b6f7 
                       help="PEM file with root CA certificate(s) to trust")
99b6f7 
     cert_group.add_option("--subject", action="callback", callback=subject_callback,
031d60 
@@ -229,6 +223,10 @@ def parse_options():
99b6f7 
     options, args = parser.parse_args()
99b6f7 
     safe_options = parser.get_safe_opts(options)
99b6f7
99b6f7 
+    # pkinit is disabled in production version
99b6f7 
+    options.pkinit_pin = False
99b6f7 
+    options.pkinit_pkcs12 = False
99b6f7 
+
99b6f7 
     if options.dm_password is not None:
99b6f7 
         try:
99b6f7 
             validate_dm_password(options.dm_password)
99b6f7 
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
031d60 
index 36d078a6b73562cb0047154f4bb7666ab25687b8..a3b89a8a739c6082aa7117cea470e2a9d8dba7f9 100644
99b6f7 
--- a/ipaserver/install/ipa_replica_prepare.py
99b6f7 
+++ b/ipaserver/install/ipa_replica_prepare.py
031d60 
@@ -56,9 +56,6 @@ def add_options(cls, parser):
99b6f7 
         parser.add_option("--no-reverse", dest="no_reverse",
99b6f7 
             action="store_true", default=False,
99b6f7 
             help="do not create reverse DNS zone")
99b6f7 
-        parser.add_option("--no-pkinit", dest="setup_pkinit",
99b6f7 
-            action="store_false", default=True,
99b6f7 
-            help="disables pkinit setup steps")
99b6f7 
         parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
99b6f7 
             metavar="FILE",
99b6f7 
             help="location of CA PKCS#12 file, default /root/cacert.p12")
031d60 
@@ -71,15 +68,10 @@ def add_options(cls, parser):
99b6f7 
         group.add_option("--http_pkcs12", dest="http_pkcs12",
99b6f7 
             metavar="FILE",
99b6f7 
             help="install certificate for the http server")
99b6f7 
-        group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
99b6f7 
-            metavar="FILE",
99b6f7 
-            help="install certificate for the KDC")
99b6f7 
         group.add_option("--dirsrv_pin", dest="dirsrv_pin", metavar="PIN",
99b6f7 
             help="PIN for the Directory Server PKCS#12 file")
99b6f7 
         group.add_option("--http_pin", dest="http_pin", metavar="PIN",
99b6f7 
             help="PIN for the Apache Server PKCS#12 file")
99b6f7 
-        group.add_option("--pkinit_pin", dest="pkinit_pin", metavar="PIN",
99b6f7 
-            help="PIN for the KDC pkinit PKCS#12 file")
99b6f7 
         parser.add_option_group(group)
99b6f7
99b6f7 
     def validate_options(self):
031d60 
@@ -99,7 +91,10 @@ def validate_options(self):
99b6f7 
                 "option together with --no-reverse")
99b6f7
99b6f7 
         #Automatically disable pkinit w/ dogtag until that is supported
99b6f7 
+        # pkinit is disabled in production version
99b6f7 
         options.setup_pkinit = False
99b6f7 
+        options.pkinit_pin = False
99b6f7 
+        options.pkinit_pkcs12 = False
99b6f7
99b6f7 
         # If any of the PKCS#12 options are selected, all are required.
99b6f7 
         pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
99b6f7 
--
031d60 
1.9.3
99b6f7

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation