#6904 pki_client_database_password is shown in ipaserver-install.log
Closed: fixed 6 years ago Opened 6 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1446137

Description of problem: pki_client_database_password is shown in
ipaserver-install.log

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-8.el7.x86_64


How reproducible: Always


Steps to Reproduce:
1. Install IPA-Server
2. Check ipaserver-install.log

Actual results:
pki_client_database_password is displayed in the install log

2017-04-27T10:12:50Z DEBUG Contents of pkispawn configuration file
(/tmp/tmp1d8iQh):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_profiles_in_ldap = True
pki_default_ocsp_uri = http://ipa-ca.testrelm.test/ca/ocsp
pki_client_database_dir = /var/lib/ipa/tmp-bilHhu
pki_client_database_password = 7Nk~a?+bv,IM!$qWWmh3mlWT{SRq}.dQJ}o%uqkcE  <===
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = XXXXXXXX

Expected results:
We should not display the password in the install log

Additional info:

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1446137

6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1446137

6 years ago

Metadata Update from @pvoborni:
- Issue priority set to: critical

6 years ago

Can we please have some tests that verify we don't write any sensitive password to disk? Locations to check are /etc/ipa/ /etc/pki/ /etc/dirsrv/ /var/run/ipa/ /var/lib/ipa/ /var/lib/pki/ /var/log/ipa/ /var/log/ipa* /var/log/pki/ /tmp/

Metadata Update from @cheimes:
- Issue priority set to: None (was: critical)

6 years ago

Metadata Update from @akasurde:
- Issue priority set to: critical

6 years ago

Metadata Update from @akasurde:
- Issue assigned to akasurde

6 years ago

Metadata Update from @akasurde:
- Assignee reset
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/740

6 years ago

ipa-4-5:

  • 1d911fc Hide PKI Client database password in log file

@cheimes for the missing tests please open a separate issue. I can imagine they can be part of each server/replica install in CI suite.

Metadata Update from @mbabinsk:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata