mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Configure PKI AJP Secret with 256-bit secret
By default, PKI's AJP secret is generated as a 75-bit password. By generating it in IPA, we can guarantee the strength of the AJP secret. It makes sense to use a stronger AJP secret because it typically isn't rotated; access to AJP allows an attacker to impersonate an admin while talking to PKI. Fixes: https://pagure.io/freeipa/issue/8372 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447 Related: https://github.com/dogtagpki/pki/pull/437 Signed-off-by: Alexander Scheel <ascheel@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
c5e9bd61d6
commit
3ecea7800a
@ -12,6 +12,7 @@
|
||||
#
|
||||
# Predefined variables
|
||||
# - ipa_ca_subject
|
||||
# - ipa_ajp_secret
|
||||
# - ipa_fqdn
|
||||
# - ipa_subject_base
|
||||
# - pki_admin_password
|
||||
|
@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
|
||||
|
||||
## dynamic values
|
||||
# ipa_ca_subject=
|
||||
# ipa_ajp_secret=
|
||||
# ipa_subject_base=
|
||||
# ipa_fqdn=
|
||||
# ipa_ocsp_uri=
|
||||
@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
|
||||
pki_replication_password=
|
||||
|
||||
pki_enable_proxy=True
|
||||
pki_ajp_secret=%(ipa_ajp_secret)s
|
||||
pki_restart_configured_instance=False
|
||||
pki_security_domain_hostname=%(ipa_fqdn)s
|
||||
pki_security_domain_https_port=443
|
||||
|
@ -840,7 +840,9 @@ class PKIIniLoader:
|
||||
pki_subsystem_type=subsystem.lower(),
|
||||
home_dir=os.path.expanduser("~"),
|
||||
# for softhsm2 testing
|
||||
softhsm2_so=paths.LIBSOFTHSM2_SO
|
||||
softhsm2_so=paths.LIBSOFTHSM2_SO,
|
||||
# Configure a more secure AJP password by default
|
||||
ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
|
||||
)
|
||||
|
||||
@classmethod
|
||||
|
Loading…
Reference in New Issue
Block a user