Learn more about these different git repos.
Other Git URLs
The PIN is sensitive information and should not be shown in plain like this:
Request ID '20150511122924': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='791848156812' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM subject: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM expires: 2035-05-11 12:28:33 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes
Are you suggesting only suppressing it from the output in "getcert list", or disabling the API for fetching it and/or removing the property as well?
In default configuration you must be root to access certmonger's DBus inteface (https://git.fedorahosted.org/cgit/certmonger.git/tree/dbus/certmonger.conf.in). Is there a reason to hide the pin from root?
Rob pointed out that a lot of people at freeipa-users forget to remove their PINs when posting getcert output, and I think it's generally a good practice not to show sensitive information by default.
I wasn't able to locate the offending line because nalin has fixed the code yesterday. The code has't changed in the last two years. Therefore backport is trivial.
https://git.fedorahosted.org/cgit/certmonger.git/commit/?id=f27a6834e1a8308aa0d13f260c4efbce260f2b3a
Metadata Update from @dkupka: - Issue set to the milestone: 0.77.4
Login to comment on this ticket.