Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 744422

Summary: Leaks KDC password and master password via command line arguments
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.1CC: jgalipea, mkosek, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.3-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: When the IPA server is being installed ipa-server-install call kdb5_ldap_util to populate the directory with realm info. It passes a Kerberos master database password and Kerberos directory password as its parameters. Consequence: Any user listing all running processes during IPA server installation may be able to catch these passwords Fix: kdb5_ldap_util interactive mode is used to pass the passwords rather that CLI parameters Result: Passwords are not visible in process listing during IPA server installation so that no user can catch them
 Story Points: ---
Clone Of: 744373 Environment:
Last Closed: 2011-12-06 18:42:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 744373, 745580    
Bug Blocks: 748554    

Description Dmitri Pal 2011-10-08 15:23:12 UTC 
+++ This bug was initially created as a clone of Bug #744373 +++

ipa-server leaks KDC password and master password via command line arguments, 
in krbinstance.py --> (in both IPAv1 and IPAv2) 
the following code can be found 

class KrbInstance(service.Service):
...
..

    def __create_instance(self, replica=False):
        self.__template_file("/var/kerberos/krb5kdc/kdc.conf")
        self.__template_file("/etc/krb5.conf")
        self.__template_file("/usr/share/ipa/html/krb5.ini")
        self.__template_file("/usr/share/ipa/html/krb.con")
        self.__template_file("/usr/share/ipa/html/krbrealm.con")

        if not replica:
            #populate the directory with the realm structure
            args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
            try:
                ipautil.run(args, nolog=(self.kdc_password, self.master_password))
            except ipautil.CalledProcessError, e:
                print "Failed to populate the realm structure in kerberos", e


so if the code under 
        if not replica:
gets executed the kdc_password and master_password will be leaked on the system (one should be able to use ps -ef to view the leaked  password information).

kdb5_ldap_util recommends against the use of -P and -w.
I haven't verified this bug as I do not have a working copy of Fedora or RHEL to test on.

--- Additional comment from dpal on 2011-10-08 11:22:20 EDT ---

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1948
Comment 1 Martin Kosek 2011-10-13 08:20:29 UTC 
*** Bug 745580 has been marked as a duplicate of this bug. ***
Comment 2 Martin Kosek 2011-10-13 08:21:43 UTC 
Fixed upstream:

master: 0d823ddc4e5fa7f8bdecb590b4ebd129106b063f
ipa-2-1: 7a5d906d03af6ee551036a841f71082fc66fa41b
Comment 3 Jenny Severance 2011-10-13 16:51:38 UTC 
Needs steps to reproduce/verify this bug.
Comment 4 Rob Crittenden 2011-10-13 17:21:41 UTC 
Can by partly verified by code inspection: are we using the -P and -w options any more?

Installing the server successfully confirms that the patch does not cause a regression. If Kerberos works at all with the resulting server then the patch is ok.
Comment 6 Jenny Severance 2011-10-26 16:48:46 UTC 
verified:

<snip>
  def __create_instance(self, replica=False):
        self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None)
        self.__template_file("/etc/krb5.conf")
        self.__template_file("/usr/share/ipa/html/krb5.ini")
        self.__template_file("/usr/share/ipa/html/krb.con")
        self.__template_file("/usr/share/ipa/html/krbrealm.con")

        if not replica:
            #populate the directory with the realm structure
            args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "create", "-s", "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
            dialogue = (
                # Password for "uid=kdc,cn=sysaccounts,cn=etc,...":
                self.kdc_password + '\n',
                # Enter KDC database master key:
                self.master_password + '\n',
                # Re-enter KDC database master key to verify:
                self.master_password + '\n',
            )
            try:
                ipautil.run(args, nolog=(self.kdc_password, self.master_password), stdin=''.join(dialogue))
            except ipautil.CalledProcessError, e:
                print "Failed to populate the realm structure in kerberos", e

</snip>

version:
ipa-server-2.1.3-3.el6.x86_64
Comment 7 Martin Kosek 2011-10-31 19:33:42 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When the IPA server is being installed ipa-server-install call kdb5_ldap_util to populate the directory with realm info. It passes a Kerberos master database password and Kerberos directory password as its parameters. 
Consequence: Any user listing all running processes during IPA server installation may be able to catch these passwords
Fix: kdb5_ldap_util interactive mode is used to pass the passwords rather that CLI parameters
Result: Passwords are not visible in process listing during IPA server installation so that no user can catch them
Comment 8 errata-xmlrpc 2011-12-06 18:42:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html