#4517 [RFE] ipa-server-install and other server-configuring programs should be able to read password from env, file, and filehandle
Opened 4 years ago by adelton. Modified 10 months ago

This is server-side version of https://fedorahosted.org/freeipa/ticket/4040:

currently, in unattended runs, passwords need to be specified as command line parameters that will show up in ps / /proc outputs.

We need a way to pass the passwords without the words being disclosed to other users on the system. The ideas include reading them from environment variables, files, or filehandles.


This ticket is not critical for 4.2 GA and can be done in follow-up stabilization release - postponing.

I like the idea of a config file. We could use the same keys as the long options (excluding --). Later we can extend the feature to get all options from the config file:

options

$ ipa-server-install --help
    ...
    -p DM_PASSWORD, --ds-password=DM_PASSWORD
                        Directory Manager password
    -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
                        kerberos master password (normally autogenerated)
    -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
                        admin user kerberos password

config file

ds-password=
master-password=
admin-password=

We want this patch, it is just not in rush any more.

FreeIPA 4.2.1 was released, moving to 4.2.x.

master:

  • 39f6f63 install: Support overriding knobs in subclasses
  • bed64a8 install: Add common base class for server and replica install
  • 86edd6a install: Move unattended option to the general help section

ipa-4-2:

  • 8040a0e install: Support overriding knobs in subclasses
  • 61170a4 install: Add common base class for server and replica install
  • 42d16b0 install: Move unattended option to the general help section

master:

  • 74da4f5 Replica inst. fix: do not require -r, -a, -p options in unattended mode

ipa-4-2:

  • ad28589 Replica inst. fix: do not require -r, -a, -p options in unattended mode

ipa-4-2:

  • 75a8454 install: fix ipa-server-install fail on missing --forwarder

master:

  • 6067824 install: fix ipa-server-install fail on missing --forwarder

Continuation of this effort should wait for installer refactoring.

Metadata Update from @adelton:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.5

2 years ago

Metadata Update from @pvoborni:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

10 months ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.

Metadata