From 6dcf7dcc04af4b77829f182a698beb59fc6f4341 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 5 Apr 2019 11:17:22 -0400
Subject: [PATCH] Add interactive prompt for the LDAP bind password to
 ipa-getkeytab

This provides a mechanism to bind over LDAP without exposing
the password on the command-line.

https://pagure.io/freeipa/issue/631

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 client/ipa-getkeytab.c     | 53 ++++++++++++++++++++++++++++++--------
 client/man/ipa-getkeytab.1 |  9 ++++---
 2 files changed, 48 insertions(+), 14 deletions(-)

diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index 6713a0c5f6352dc63dc0ec24d4ccaec4c3ba31ae..8a5e98bed1947344247f9d6146e595d5f7f7a963 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -626,7 +626,16 @@ done:
     return ret;
 }
 
-static char *ask_password(krb5_context krbctx)
+/* Prompt for either a password.
+ * This can be either asking for a new or existing password.
+ *
+ * To set a new password provide values for both prompt1 and prompt2 and
+ * set match=true to enforce that the two entered passwords match.
+ *
+ * To prompt for an existing password provide prompt1 and set match=false.
+ */
+static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2,
+                          bool match)
 {
     krb5_prompt ap_prompts[2];
     krb5_data k5d_pw0;
@@ -634,24 +643,27 @@ static char *ask_password(krb5_context krbctx)
     char pw0[256];
     char pw1[256];
     char *password;
+    int num_prompts = match ? 2:1;
 
     k5d_pw0.length = sizeof(pw0);
     k5d_pw0.data = pw0;
-    ap_prompts[0].prompt = _("New Principal Password");
+    ap_prompts[0].prompt = prompt1;
     ap_prompts[0].hidden = 1;
     ap_prompts[0].reply = &k5d_pw0;
 
-    k5d_pw1.length = sizeof(pw1);
-    k5d_pw1.data = pw1;
-    ap_prompts[1].prompt = _("Verify Principal Password");
-    ap_prompts[1].hidden = 1;
-    ap_prompts[1].reply = &k5d_pw1;
+    if (match) {
+        k5d_pw1.length = sizeof(pw1);
+        k5d_pw1.data = pw1;
+        ap_prompts[1].prompt = prompt2;
+        ap_prompts[1].hidden = 1;
+        ap_prompts[1].reply = &k5d_pw1;
+    }
 
     krb5_prompter_posix(krbctx, NULL,
                 NULL, NULL,
-                2, ap_prompts);
+                num_prompts, ap_prompts);
 
-    if (strcmp(pw0, pw1)) {
+    if (match && (strcmp(pw0, pw1))) {
         fprintf(stderr, _("Passwords do not match!"));
         return NULL;
     }
@@ -752,6 +764,7 @@ int main(int argc, const char *argv[])
 	static const char *ca_cert_file = NULL;
 	int quiet = 0;
 	int askpass = 0;
+	int askbindpw = 0;
 	int permitted_enctypes = 0;
 	int retrieve = 0;
         struct poptOption options[] = {
@@ -778,6 +791,8 @@ int main(int argc, const char *argv[])
               _("LDAP DN"), _("DN to bind as if not using kerberos") },
 	    { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
               _("LDAP password"), _("password to use if not using kerberos") },
+	    { NULL, 'W', POPT_ARG_NONE, &askbindpw, 0,
+              _("Prompt for LDAP password"), NULL },
 	    { "cacert", 0, POPT_ARG_STRING, &ca_cert_file, 0,
               _("Path to the IPA CA certificate"), _("IPA CA certificate")},
 	    { "ldapuri", 'H', POPT_ARG_STRING, &ldap_uri, 0,
@@ -849,9 +864,24 @@ int main(int argc, const char *argv[])
 		exit(2);
 	}
 
+    if (askbindpw && bindpw != NULL) {
+		fprintf(stderr, _("Bind password already provided (-w).\n"));
+		if (!quiet) {
+			poptPrintUsage(pc, stderr, 0);
+		}
+		exit(2);
+    }
+
+    if (askbindpw) {
+		bindpw = ask_password(krbctx, _("Enter LDAP password"), NULL, false);
+		if (!bindpw) {
+			exit(2);
+		}
+    }
+
 	if (NULL!=binddn && NULL==bindpw) {
 		fprintf(stderr,
-                        _("Bind password required when using a bind DN.\n"));
+                        _("Bind password required when using a bind DN (-w or -W).\n"));
 		if (!quiet)
 			poptPrintUsage(pc, stderr, 0);
 		exit(10);
@@ -915,7 +945,8 @@ int main(int argc, const char *argv[])
     }
 
         if (askpass) {
-		password = ask_password(krbctx);
+		password = ask_password(krbctx, _("New Principal Password"),
+               	                _("Verify Principal Password"), true);
 		if (!password) {
 			exit(2);
 		}
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
index 39ff0d5da85b5a641328a512feeb06bc9c1ab9d7..6e7fdf39ee4e28772365edafd4c7e86d0c37d343 100644
--- a/client/man/ipa-getkeytab.1
+++ b/client/man/ipa-getkeytab.1
@@ -21,7 +21,7 @@
 .SH "NAME"
 ipa\-getkeytab \- Get a keytab for a Kerberos principal
 .SH "SYNOPSIS"
-ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ]
+ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB-W\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ]
 
 .SH "DESCRIPTION"
 Retrieves a Kerberos \fIkeytab\fR.
@@ -44,7 +44,7 @@ provided, so the principal name is just the service
 name and hostname (ldap/foo.example.com from the
 example above).
 
-ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication.
+ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR \fB\-w|\-\-bindpw\fR options are used for this authentication. \fB-W\fR can be used instead of \fB\-w|\-\-bindpw\fR to interactively prompt for the bind password.
 
 \fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
 This renders all other keytabs for that principal invalid.
@@ -98,11 +98,14 @@ DES cbc mode with RSA\-MD4
 Use this password for the key instead of one randomly generated.
 .TP
 \fB\-D, \-\-binddn\fR
-The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option.
+The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR or \fB\-W\fR options.
 .TP
 \fB\-w, \-\-bindpw\fR
 The LDAP password to use when not binding with Kerberos. \fB\-D\fR and \fB\-w\fR can not be used together with \fB\-Y\fR.
 .TP
+\fB\-W\fR
+Interactive prompt for the bind password. \fB\-D\fR and \fB\-W\fR can not be used together with \fB\-Y\fR
+.TP
 \fB\-\-cacert\fR
 The path to the IPA CA certificate used to validate LDAPS/STARTTLS connections.
 Defaults to /etc/ipa/ca.crt
-- 
2.25.2