From 6dcf7dcc04af4b77829f182a698beb59fc6f4341 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 5 Apr 2019 11:17:22 -0400 Subject: [PATCH] Add interactive prompt for the LDAP bind password to ipa-getkeytab This provides a mechanism to bind over LDAP without exposing the password on the command-line. https://pagure.io/freeipa/issue/631 Signed-off-by: Rob Crittenden Reviewed-By: Alexander Bokovoy Reviewed-By: Robbie Harwood Reviewed-By: Christian Heimes Reviewed-By: Florence Blanc-Renaud Reviewed-By: Simo Sorce --- client/ipa-getkeytab.c | 53 ++++++++++++++++++++++++++++++-------- client/man/ipa-getkeytab.1 | 9 ++++--- 2 files changed, 48 insertions(+), 14 deletions(-) diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c index 6713a0c5f6352dc63dc0ec24d4ccaec4c3ba31ae..8a5e98bed1947344247f9d6146e595d5f7f7a963 100644 --- a/client/ipa-getkeytab.c +++ b/client/ipa-getkeytab.c @@ -626,7 +626,16 @@ done: return ret; } -static char *ask_password(krb5_context krbctx) +/* Prompt for either a password. + * This can be either asking for a new or existing password. + * + * To set a new password provide values for both prompt1 and prompt2 and + * set match=true to enforce that the two entered passwords match. + * + * To prompt for an existing password provide prompt1 and set match=false. + */ +static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2, + bool match) { krb5_prompt ap_prompts[2]; krb5_data k5d_pw0; @@ -634,24 +643,27 @@ static char *ask_password(krb5_context krbctx) char pw0[256]; char pw1[256]; char *password; + int num_prompts = match ? 2:1; k5d_pw0.length = sizeof(pw0); k5d_pw0.data = pw0; - ap_prompts[0].prompt = _("New Principal Password"); + ap_prompts[0].prompt = prompt1; ap_prompts[0].hidden = 1; ap_prompts[0].reply = &k5d_pw0; - k5d_pw1.length = sizeof(pw1); - k5d_pw1.data = pw1; - ap_prompts[1].prompt = _("Verify Principal Password"); - ap_prompts[1].hidden = 1; - ap_prompts[1].reply = &k5d_pw1; + if (match) { + k5d_pw1.length = sizeof(pw1); + k5d_pw1.data = pw1; + ap_prompts[1].prompt = prompt2; + ap_prompts[1].hidden = 1; + ap_prompts[1].reply = &k5d_pw1; + } krb5_prompter_posix(krbctx, NULL, NULL, NULL, - 2, ap_prompts); + num_prompts, ap_prompts); - if (strcmp(pw0, pw1)) { + if (match && (strcmp(pw0, pw1))) { fprintf(stderr, _("Passwords do not match!")); return NULL; } @@ -752,6 +764,7 @@ int main(int argc, const char *argv[]) static const char *ca_cert_file = NULL; int quiet = 0; int askpass = 0; + int askbindpw = 0; int permitted_enctypes = 0; int retrieve = 0; struct poptOption options[] = { @@ -778,6 +791,8 @@ int main(int argc, const char *argv[]) _("LDAP DN"), _("DN to bind as if not using kerberos") }, { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0, _("LDAP password"), _("password to use if not using kerberos") }, + { NULL, 'W', POPT_ARG_NONE, &askbindpw, 0, + _("Prompt for LDAP password"), NULL }, { "cacert", 0, POPT_ARG_STRING, &ca_cert_file, 0, _("Path to the IPA CA certificate"), _("IPA CA certificate")}, { "ldapuri", 'H', POPT_ARG_STRING, &ldap_uri, 0, @@ -849,9 +864,24 @@ int main(int argc, const char *argv[]) exit(2); } + if (askbindpw && bindpw != NULL) { + fprintf(stderr, _("Bind password already provided (-w).\n")); + if (!quiet) { + poptPrintUsage(pc, stderr, 0); + } + exit(2); + } + + if (askbindpw) { + bindpw = ask_password(krbctx, _("Enter LDAP password"), NULL, false); + if (!bindpw) { + exit(2); + } + } + if (NULL!=binddn && NULL==bindpw) { fprintf(stderr, - _("Bind password required when using a bind DN.\n")); + _("Bind password required when using a bind DN (-w or -W).\n")); if (!quiet) poptPrintUsage(pc, stderr, 0); exit(10); @@ -915,7 +945,8 @@ int main(int argc, const char *argv[]) } if (askpass) { - password = ask_password(krbctx); + password = ask_password(krbctx, _("New Principal Password"), + _("Verify Principal Password"), true); if (!password) { exit(2); } diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1 index 39ff0d5da85b5a641328a512feeb06bc9c1ab9d7..6e7fdf39ee4e28772365edafd4c7e86d0c37d343 100644 --- a/client/man/ipa-getkeytab.1 +++ b/client/man/ipa-getkeytab.1 @@ -21,7 +21,7 @@ .SH "NAME" ipa\-getkeytab \- Get a keytab for a Kerberos principal .SH "SYNOPSIS" -ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ] +ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB-W\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ] .SH "DESCRIPTION" Retrieves a Kerberos \fIkeytab\fR. @@ -44,7 +44,7 @@ provided, so the principal name is just the service name and hostname (ldap/foo.example.com from the example above). -ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication. +ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR \fB\-w|\-\-bindpw\fR options are used for this authentication. \fB-W\fR can be used instead of \fB\-w|\-\-bindpw\fR to interactively prompt for the bind password. \fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal. This renders all other keytabs for that principal invalid. @@ -98,11 +98,14 @@ DES cbc mode with RSA\-MD4 Use this password for the key instead of one randomly generated. .TP \fB\-D, \-\-binddn\fR -The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option. +The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR or \fB\-W\fR options. .TP \fB\-w, \-\-bindpw\fR The LDAP password to use when not binding with Kerberos. \fB\-D\fR and \fB\-w\fR can not be used together with \fB\-Y\fR. .TP +\fB\-W\fR +Interactive prompt for the bind password. \fB\-D\fR and \fB\-W\fR can not be used together with \fB\-Y\fR +.TP \fB\-\-cacert\fR The path to the IPA CA certificate used to validate LDAPS/STARTTLS connections. Defaults to /etc/ipa/ca.crt -- 2.25.2