summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2011-10-11 18:44:33 +0200
committerRob Crittenden <rcritten@redhat.com>2011-10-11 21:25:17 -0400
commit0d823ddc4e5fa7f8bdecb590b4ebd129106b063f (patch)
treee51b69d494ea4a590fb467b48c569d8ecaa9157d
parentf2fb6552c91fa530597e6deb776d90344bfe67bd (diff)
downloadfreeipa-0d823ddc4e5fa7f8bdecb590b4ebd129106b063f.zip
freeipa-0d823ddc4e5fa7f8bdecb590b4ebd129106b063f.tar.gz
freeipa-0d823ddc4e5fa7f8bdecb590b4ebd129106b063f.tar.xz
Don't leak passwords through kdb5_ldap_util command line arguments.
ticket 1948
-rw-r--r--ipaserver/install/krbinstance.py10
1 files changed, 8 insertions, 2 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 74e28bc..cb090e8 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -295,11 +295,17 @@ class KrbInstance(service.Service):
def __init_ipa_kdb(self):
#populate the directory with the realm structure
- args = ["kdb5_util", "create", "-s", "-P", self.master_password,
+ args = ["kdb5_util", "create", "-s",
"-r", self.realm,
"-x", "ipa-setup-override-restrictions"]
+ dialogue = (
+ # Enter KDC database master key:
+ self.master_password + '\n',
+ # Re-enter KDC database master key to verify:
+ self.master_password + '\n',
+ )
try:
- ipautil.run(args, nolog=(self.master_password))
+ ipautil.run(args, nolog=(self.master_password), stdin=''.join(dialogue))
except ipautil.CalledProcessError, e:
print "Failed to initialize the realm container"