Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 974309
Description of problem: ipa-server-install: ask for certificate pin interactively ipa-server-install requires respective --[service]_pin=<secret> CLI option to be given when --[service]_pkcs12=/path/to/pkcs12 is given. This is bad because the password is visible for quite a long time in process list and in bash history (and god only knows where else). ipa-server-install should move to interactive and password-file methods to provide password instead Version-Release number of selected component (if applicable): freeipa-server-3.2.0-2.fc19.armv7hl How reproducible: always Steps to Reproduce: 1. run ipa-server-install with --http_pkcs12 and/or --dirsrv_pkcs12 and/or --pkinit_pkcs12 options but without respective *pin=<secret> options 2. 3. Actual results: ipa-server-install fails Expected results: ipa-server-install should ask for passwords interactively Additional info:
Already suggested, and deferred until we install from configuration files. See http://www.redhat.com/archives/freeipa-devel/2013-March/msg00325.html.
Thanks for this pointer. I new this was discussed some time ago, but could not find a related ticket. It is true that I would like this problem to be solved consistently across all our password options.
Moving open tickets to next month bucket.
master:[[BR]] 6937107 Print newline after receiving EOF in installutils.read_password.[[BR]] ab2debd Ask for PKCS#12 password interactively in ipa-replica-prepare.[[BR]] ea544be Ask for PKCS#12 password interactively in ipa-server-install.[[BR]]
ipa-3-2:[[BR]] 38c0585 Print newline after receiving EOF in installutils.read_password.[[BR]] 0b7e1d5 Ask for PKCS#12 password interactively in ipa-replica-prepare.[[BR]] d130688 Ask for PKCS#12 password interactively in ipa-server-install.[[BR]]
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.2.x - 2013/07 (bug fixing)
Login to comment on this ticket.