From 7a5d906d03af6ee551036a841f71082fc66fa41b Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 11 Oct 2011 18:44:33 +0200
Subject: Don't leak passwords through kdb5_ldap_util command line arguments.

ticket 1948
---
 ipaserver/install/krbinstance.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index ad89e87d6..70cbe62a2 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -336,9 +336,17 @@ class KrbInstance(service.Service):
 
         if not replica:
             #populate the directory with the realm structure
-            args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
+            args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "create", "-s", "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
+            dialogue = (
+                # Password for "uid=kdc,cn=sysaccounts,cn=etc,...":
+                self.kdc_password + '\n',
+                # Enter KDC database master key:
+                self.master_password + '\n',
+                # Re-enter KDC database master key to verify:
+                self.master_password + '\n',
+            )
             try:
-                ipautil.run(args, nolog=(self.kdc_password, self.master_password))
+                ipautil.run(args, nolog=(self.kdc_password, self.master_password), stdin=''.join(dialogue))
             except ipautil.CalledProcessError, e:
                 print "Failed to populate the realm structure in kerberos", e
 
-- 
cgit