Bug 1256853

Summary: Clear text passwords in KRA install log
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: edewata, ksiddiqu, pvoborni, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-7.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:06:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2015-08-25 15:24:03 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5246

Currently ipa-kra-install invokes pki tool by passing clear text passwords as command line arguments so the passwords are logged in the ipa-server-kra-install.log. The invocation should be changed to use password files instead.

Proposed milestone: 4.2.1
Comment 1 Petr Vobornik 2015-08-26 11:52:52 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8676364ae8260a5894b0b0c2af8e81b10aeaba6b
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/4e474c5a20b91d4eed75f514f801b40f1f291e65
Comment 3 Scott Poore 2015-09-03 23:54:04 UTC 
Petr,

How can I confirm this?

I don't see a pki command similar to what's in the patches.

This is all I see:

[root@master log]# strings /var/log/ipaserver-kra-install.log|grep /usr/bin/pki
2015-08-27T21:02:20Z DEBUG args='/usr/bin/pki' '-d' '/etc/httpd/alias' '-C' '/etc/httpd/alias/pwdfile.txt' 'client-cert-show' 'ipaCert' '--client-cert' '/etc/httpd/alias/kra-agent.pem'


I do though see them in the pki-spawn logs:

[root@master pki]# grep /root/.dogtag/pki-tomcat/kra/password.conf pki-kra-spawn.20150827160105.log
    'pki_client_password_conf': '/root/.dogtag/pki-tomcat/kra/password.conf',
2015-08-27 16:01:07 pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/kra/password.conf'
2015-08-27 16:01:07 pkispawn    : DEBUG    ........... chmod 660 /root/.dogtag/pki-tomcat/kra/password.conf
2015-08-27 16:01:07 pkispawn    : DEBUG    ........... chown 0:0 /root/.dogtag/pki-tomcat/kra/password.conf
2015-08-27 16:01:07 pkispawn    : INFO     ....... executing 'certutil -N -d /tmp/tmp-ZQWfT0 -f /root/.dogtag/pki-tomcat/kra/password.conf'
    'pki_client_password_conf': '/root/.dogtag/pki-tomcat/kra/password.conf',


[root@master pki]# grep /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf pki-kra-spawn.20150827160105.log
    'pki_client_pkcs12_password_conf': '/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf',
2015-08-27 16:01:07 pkispawn    : INFO     ....... modifying '/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf'
2015-08-27 16:01:07 pkispawn    : DEBUG    ........... chmod 660 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf
2015-08-27 16:01:07 pkispawn    : DEBUG    ........... chown 17:17 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf
    'pki_client_pkcs12_password_conf': '/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf',

Is that all I should expect to see?   Where/how was the password showing up?  I'd like to eliminate that as a possiblility.

Thanks,
Scott
Comment 5 Endi Sukma Dewata 2015-09-04 18:15:03 UTC 
Before the fix there were several pki tool invocations with "-c <clear text password>" in ipaserver-kra-install.log (not pkispawn log). The fix replaces those invocations with "-C <password file>".

Please note that this particular line is not affected by the fix because it's already using a password file:

2015-08-27T21:02:20Z DEBUG args='/usr/bin/pki' '-d' '/etc/httpd/alias' '-C' '/etc/httpd/alias/pwdfile.txt' 'client-cert-show' 'ipaCert' '--client-cert' '/etc/httpd/alias/kra-agent.pem'

Also note that in bug #1258964 the other pki tool invocations will be replaced with direct LDAP modifications.

To verify the fix you probably can execute this line instead:
# strings /var/log/ipaserver-kra-install.log | grep <clear text password>
Comment 6 Scott Poore 2015-09-04 21:04:31 UTC 
Verified.

Version ::

ipa-server-4.2.0-8.el7.x86_64

Results ::

[root@master log]# strings /var/log/ipaserver-kra-install.log | grep Secret123
[root@master log]# 

[root@master pki]# grep Secret123 pki-kra-spawn.*
[root@master pki]# pwd
/var/log/pki
Comment 7 errata-xmlrpc 2015-11-19 12:06:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html