The PIN is sensitive information and should not be shown in plain like this:
Request ID '20150511122924':
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='791848156812'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
subject: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
expires: 2035-05-11 12:28:33 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
Are you suggesting only suppressing it from the output in "getcert list", or disabling the API for fetching it and/or removing the property as well?
In default configuration you must be root to access certmonger's DBus inteface (https://git.fedorahosted.org/cgit/certmonger.git/tree/dbus/certmonger.conf.in). Is there a reason to hide the pin from root?
Rob pointed out that a lot of people at freeipa-users forget to remove their PINs when posting getcert output, and I think it's generally a good practice not to show sensitive information by default.
I wasn't able to locate the offending line because nalin has fixed the code yesterday. The code has't changed in the last two years. Therefore backport is trivial.
Metadata Update from @dkupka:
- Issue set to the milestone: 0.77.4
to comment on this ticket.