Bug 1446137 - pki_client_database_password is shown in ipaserver-install.log
Summary: pki_client_database_password is shown in ipaserver-install.log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Sudhir Menon
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-27 10:15 UTC by Sudhir Menon
Modified: 2017-08-01 09:50 UTC (History)
7 users (show)

Fixed In Version: ipa-4.5.0-9.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:50:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Sudhir Menon 2017-04-27 10:15:01 UTC
Description of problem: pki_client_database_password is shown in ipaserver-install.log

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-8.el7.x86_64


How reproducible: Always


Steps to Reproduce:
1. Install IPA-Server
2. Check ipaserver-install.log

Actual results:
pki_client_database_password is displayed in the install log

2017-04-27T10:12:50Z DEBUG Contents of pkispawn configuration file (/tmp/tmp1d8iQh):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_profiles_in_ldap = True
pki_default_ocsp_uri = http://ipa-ca.testrelm.test/ca/ocsp
pki_client_database_dir = /var/lib/ipa/tmp-bilHhu
pki_client_database_password = 7Nk~a?+bv,IM!$qWWmh3mlWT{SRq}.dQJ}o%uqkcE  <===
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = XXXXXXXX

Expected results: 
We should not display the password in the install log

Additional info:

Comment 2 Petr Vobornik 2017-04-27 10:24:07 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6904

Comment 3 Martin Babinsky 2017-04-27 11:32:39 UTC
The issue was fixed in master branch but not backported to ipa-4-5.

Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/1d911fc2186da1c6566648f94a6819c4e7a2a72b

Comment 5 Sudhir Menon 2017-05-03 09:28:24 UTC
Fix is seen. Verified on RHEL7.4 using

ipa-server-4.5.0-9.el7.x86_64
389-ds-base-1.3.6.1-9.el7.x86_64
sssd-1.15.2-21.el7.x86_64
selinux-policy-3.13.1-145.el7.noarch
pki-kra-10.4.1-2.el7.noarch
pki-ca-10.4.1-2.el7.noarch
selinux-policy-3.13.1-145.el7.noarch
ipa-server-trust-ad-4.5.0-9.el7.x86_64

2017-05-03T09:23:06Z DEBUG Contents of pkispawn configuration file (/tmp/tmpemCM77):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_profiles_in_ldap = True
pki_default_ocsp_uri = http://ipa-ca.testrelm.test/ca/ocsp
pki_client_database_dir = /var/lib/ipa/tmp-dLJfPI
pki_client_database_password = XXXXXXXX  
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=TESTRELM.TEST
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX

Comment 6 errata-xmlrpc 2017-08-01 09:50:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.