dogtagpki

Clone
Source Code
GIT

#2662 Avoid writing LDAP Directory Manager credentials to persistent file
Closed: wontfix 6 years ago Opened 7 years ago by cheimes.

Closed: wontfix
Reopen Issue

pkispawn writes the Directory Manager credentials in clear text to /etc/pki/pki-tomcat/password.conf, line internaldb=PASSWORD. The file is a persistent. Standa Laznicka from the FreeIPA team has investigated usage of internaldb. The line seems to be optional and not used beyond installation. FreeIPA 4.5 removes the entry, https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L225

I'd rather not write the entry to the file at all. Dogtag's installer should use a dedicated temporary file on a tmpfs instead. /etc is on a persistent disk and the password could be written to physical devices (hard disk, SSD).

In FreeIPA, the Directory Manager password is used in these options used in pkispawn:

pki_backup_password
pki_client_pkcs12_password
pki_admin_password
pki_ds_password

and additionally when creating a clone:

pki_security_domain_password
pki_clone_pkcs12_password

Metadata Update from @mharmsen:
- Custom field component adjusted to General
- Custom field feature adjusted to ''
- Custom field origin adjusted to Community
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field type adjusted to defect
- Custom field version adjusted to ''
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
7 years ago

Metadata Update from @mharmsen:
- Issue priority set to: ---
7 years ago

Per PKI Bug Council of 04/27/2017: 10.5 - critical

Metadata Update from @mharmsen:
- Issue priority set to: critical (was: ---)
- Issue set to the milestone: 10.5 (was: 0.0 NEEDS_TRIAGE)
7 years ago

Metadata Update from @mharmsen:
- Issue priority set to: major (was: critical)
6 years ago

The reason IPA does not use this entry is because IPA uses cert-auth to connect from the dogtag instance to its internalDB. I think IPA selects this with the appropriate pkispawn parameters.

In this case, the ds password is no longer needed post-install. This is not true by default. By default, this line in password.conf is used to connect dogtag to its internaldb.

I suppose we can remove this entry in the case where we configure cert-auth for the dogtag<->ds connection, but we need to confirm we can do this.

[20171025] - Offline Triage ==> 10.6

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.6 (was: 10.5)
6 years ago

Per further discussions with Ade, we would like IPA to clean up the stuff that is not required
due to the way IPA sets up Dogtag. This is not perfect, but the Dogtag backlog is huge so we'd
like to be realistic about what is / isn't ever going to get done.

Metadata Update from @ftweedal:
- Issue close_status updated to: wontfix
6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.2 (was: 10.6)
6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2782

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
None
major
None
None
None
defect
''
None
None
None
''
Community
''
None
None
None
None
''
General
''
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.