From 0d823ddc4e5fa7f8bdecb590b4ebd129106b063f Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 11 Oct 2011 18:44:33 +0200
Subject: Don't leak passwords through kdb5_ldap_util command line arguments.

ticket 1948
---
 ipaserver/install/krbinstance.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'ipaserver/install/krbinstance.py')

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 74e28bc6..cb090e82 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -295,11 +295,17 @@ class KrbInstance(service.Service):
 
     def __init_ipa_kdb(self):
         #populate the directory with the realm structure
-        args = ["kdb5_util", "create", "-s", "-P", self.master_password,
+        args = ["kdb5_util", "create", "-s",
                                        "-r", self.realm,
                                        "-x", "ipa-setup-override-restrictions"]
+        dialogue = (
+            # Enter KDC database master key:
+            self.master_password + '\n',
+            # Re-enter KDC database master key to verify:
+            self.master_password + '\n',
+        )
         try:
-            ipautil.run(args, nolog=(self.master_password))
+            ipautil.run(args, nolog=(self.master_password), stdin=''.join(dialogue))
         except ipautil.CalledProcessError, e:
             print "Failed to initialize the realm container"
 
-- 
cgit