Don't leak passwords through kdb5_ldap_util command line arguments.

ticket 1948
2025-02-25 18:55:28 -06:00 · 2011-10-11 18:44:33 +02:00 · 2011-10-11 18:44:33 +02:00 · 0d823ddc4e
commit 0d823ddc4e
parent f2fb6552c9
1 changed files with 8 additions and 2 deletions
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -295,11 +295,17 @@ class KrbInstance(service.Service):

    def __init_ipa_kdb(self):
        #populate the directory with the realm structure
-        args = ["kdb5_util", "create", "-s", "-P", self.master_password,
+        args = ["kdb5_util", "create", "-s",
                                       "-r", self.realm,
                                       "-x", "ipa-setup-override-restrictions"]
+        dialogue = (
+            # Enter KDC database master key:
+            self.master_password + '\n',
+            # Re-enter KDC database master key to verify:
+            self.master_password + '\n',
+        )
        try:
-            ipautil.run(args, nolog=(self.master_password))
+            ipautil.run(args, nolog=(self.master_password), stdin=''.join(dialogue))
        except ipautil.CalledProcessError, e:
            print "Failed to initialize the realm container"