From 6dcf7dcc04af4b77829f182a698beb59fc6f4341 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 5 Apr 2019 11:17:22 -0400
Subject: [PATCH] Add interactive prompt for the LDAP bind password to
ipa-getkeytab
This provides a mechanism to bind over LDAP without exposing
the password on the command-line.
https://pagure.io/freeipa/issue/631
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
client/ipa-getkeytab.c | 53 ++++++++++++++++++++++++++++++--------
client/man/ipa-getkeytab.1 | 9 ++++---
2 files changed, 48 insertions(+), 14 deletions(-)
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index 6713a0c5f6352dc63dc0ec24d4ccaec4c3ba31ae..8a5e98bed1947344247f9d6146e595d5f7f7a963 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -626,7 +626,16 @@ done:
return ret;
}
-static char *ask_password(krb5_context krbctx)
+/* Prompt for either a password.
+ * This can be either asking for a new or existing password.
+ *
+ * To set a new password provide values for both prompt1 and prompt2 and
+ * set match=true to enforce that the two entered passwords match.
+ *
+ * To prompt for an existing password provide prompt1 and set match=false.
+ */
+static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2,
+ bool match)
{
krb5_prompt ap_prompts[2];
krb5_data k5d_pw0;
@@ -634,24 +643,27 @@ static char *ask_password(krb5_context krbctx)
char pw0[256];
char pw1[256];
char *password;
+ int num_prompts = match ? 2:1;
k5d_pw0.length = sizeof(pw0);
k5d_pw0.data = pw0;
- ap_prompts[0].prompt = _("New Principal Password");
+ ap_prompts[0].prompt = prompt1;
ap_prompts[0].hidden = 1;
ap_prompts[0].reply = &k5d_pw0;
- k5d_pw1.length = sizeof(pw1);
- k5d_pw1.data = pw1;
- ap_prompts[1].prompt = _("Verify Principal Password");
- ap_prompts[1].hidden = 1;
- ap_prompts[1].reply = &k5d_pw1;
+ if (match) {
+ k5d_pw1.length = sizeof(pw1);
+ k5d_pw1.data = pw1;
+ ap_prompts[1].prompt = prompt2;
+ ap_prompts[1].hidden = 1;
+ ap_prompts[1].reply = &k5d_pw1;
+ }
krb5_prompter_posix(krbctx, NULL,
NULL, NULL,
- 2, ap_prompts);
+ num_prompts, ap_prompts);
- if (strcmp(pw0, pw1)) {
+ if (match && (strcmp(pw0, pw1))) {
fprintf(stderr, _("Passwords do not match!"));
return NULL;
}
@@ -752,6 +764,7 @@ int main(int argc, const char *argv[])
static const char *ca_cert_file = NULL;
int quiet = 0;
int askpass = 0;
+ int askbindpw = 0;
int permitted_enctypes = 0;
int retrieve = 0;
struct poptOption options[] = {
@@ -778,6 +791,8 @@ int main(int argc, const char *argv[])
_("LDAP DN"), _("DN to bind as if not using kerberos") },
{ "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
_("LDAP password"), _("password to use if not using kerberos") },
+ { NULL, 'W', POPT_ARG_NONE, &askbindpw, 0,
+ _("Prompt for LDAP password"), NULL },
{ "cacert", 0, POPT_ARG_STRING, &ca_cert_file, 0,
_("Path to the IPA CA certificate"), _("IPA CA certificate")},
{ "ldapuri", 'H', POPT_ARG_STRING, &ldap_uri, 0,
@@ -849,9 +864,24 @@ int main(int argc, const char *argv[])
exit(2);
}
+ if (askbindpw && bindpw != NULL) {
+ fprintf(stderr, _("Bind password already provided (-w).\n"));
+ if (!quiet) {
+ poptPrintUsage(pc, stderr, 0);
+ }
+ exit(2);
+ }
+
+ if (askbindpw) {
+ bindpw = ask_password(krbctx, _("Enter LDAP password"), NULL, false);
+ if (!bindpw) {
+ exit(2);
+ }
+ }
+
if (NULL!=binddn && NULL==bindpw) {
fprintf(stderr,
- _("Bind password required when using a bind DN.\n"));
+ _("Bind password required when using a bind DN (-w or -W).\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
exit(10);
@@ -915,7 +945,8 @@ int main(int argc, const char *argv[])
}
if (askpass) {
- password = ask_password(krbctx);
+ password = ask_password(krbctx, _("New Principal Password"),
+ _("Verify Principal Password"), true);
if (!password) {
exit(2);
}
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
index 39ff0d5da85b5a641328a512feeb06bc9c1ab9d7..6e7fdf39ee4e28772365edafd4c7e86d0c37d343 100644
--- a/client/man/ipa-getkeytab.1
+++ b/client/man/ipa-getkeytab.1
@@ -21,7 +21,7 @@
.SH "NAME"
ipa\-getkeytab \- Get a keytab for a Kerberos principal
.SH "SYNOPSIS"
-ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ]
+ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB-W\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ]
.SH "DESCRIPTION"
Retrieves a Kerberos \fIkeytab\fR.
@@ -44,7 +44,7 @@ provided, so the principal name is just the service
name and hostname (ldap/foo.example.com from the
example above).
-ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication.
+ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR \fB\-w|\-\-bindpw\fR options are used for this authentication. \fB-W\fR can be used instead of \fB\-w|\-\-bindpw\fR to interactively prompt for the bind password.
\fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
This renders all other keytabs for that principal invalid.
@@ -98,11 +98,14 @@ DES cbc mode with RSA\-MD4
Use this password for the key instead of one randomly generated.
.TP
\fB\-D, \-\-binddn\fR
-The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option.
+The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR or \fB\-W\fR options.
.TP
\fB\-w, \-\-bindpw\fR
The LDAP password to use when not binding with Kerberos. \fB\-D\fR and \fB\-w\fR can not be used together with \fB\-Y\fR.
.TP
+\fB\-W\fR
+Interactive prompt for the bind password. \fB\-D\fR and \fB\-W\fR can not be used together with \fB\-Y\fR
+.TP
\fB\-\-cacert\fR
The path to the IPA CA certificate used to validate LDAPS/STARTTLS connections.
Defaults to /etc/ipa/ca.crt
--
2.25.2