freeipa/install/tools/ipa-httpd-pwdreader
Stanislav Laznicka 7cbd9bd429 Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-23 12:48:46 +01:00

37 lines
1.0 KiB
Bash
Executable File

#!/bin/bash
# This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
#
# If you'd like to write your custom binary providing passwords to mod_ssl,
# see the documentation of the aforementioned directive of the mod_ssl module.
USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
ERR_UNKNOWN_KEY="\
ERROR: You seem to be running a non-standard IPA installation.
Please extend the /var/libexec/ipa/ipa-pwdreader script to cover your case."
if [ ! "$#" -eq 2 ]; then
echo "Wrong number of arguments!" 1>&2
echo "$USAGE" 1>&2
exit 1
fi
case "$1" in
"${HOSTNAME}:443" )
# Read IPA password
# IPA expects the password filename format to be
# <hostname>-<port>-<ecryption_algorithm>
IPA_PASSWD_PATH="/var/lib/ipa/passwds/${1/:/-}-$2"
cat $IPA_PASSWD_PATH
;;
# ================
# Extend for more virtual hosts with
# <vhostname>:<vhost_port> )
# your_code
# ;;
# ================
*)
echo "$ERR_UNKNOWN_KEY" 1>&2
exit 1
esac