Commit c9041c3b authored by Russ Allbery's avatar Russ Allbery

Accept password in standard input in krb5-sync-backend

krb5-sync-backend's password command now accepts the password on
standard input in addition to accepting it as a command-line
parameter.  This is more secure since the password is not exposed to
other users of the same system.
parent 2d9f986b
...@@ -13,6 +13,11 @@ krb5-sync 2.2 (unreleased) ...@@ -13,6 +13,11 @@ krb5-sync 2.2 (unreleased)
skip -randkey key changes in the plugin since we cannot currently do skip -randkey key changes in the plugin since we cannot currently do
anything sensible with them. Thanks, Dominic Hargreaves. anything sensible with them. Thanks, Dominic Hargreaves.
krb5-sync-backend's password command now accepts the password on
standard input in addition to accepting it as a command-line
parameter. This is more secure since the password is not exposed to
other users of the same system.
Remove the patch for Stanford's patched MIT Kerberos 1.4.4 from the Remove the patch for Stanford's patched MIT Kerberos 1.4.4 from the
distribution. This has not been used at Stanford for years and is old distribution. This has not been used at Stanford for years and is old
enough that it's unlikely to be of interest to others. enough that it's unlikely to be of interest to others.
......
...@@ -7,10 +7,6 @@ ...@@ -7,10 +7,6 @@
* The base DN for finding users in Active Directory probably has to be * The base DN for finding users in Active Directory probably has to be
configurable. configurable.
* After remctl has been modified to allow passing of some parameters on
standard input, change krb5-sync-backend to accept the password on
standard input to avoid exposing it on the command line.
* krb5-sync-backend should get the path to Perl and krb5-sync from * krb5-sync-backend should get the path to Perl and krb5-sync from
configure. configure.
......
...@@ -3,7 +3,8 @@ ...@@ -3,7 +3,8 @@
# krb5-sync-backend -- Manipulate Kerberos password and status change queue. # krb5-sync-backend -- Manipulate Kerberos password and status change queue.
# #
# Written by Russ Allbery <rra@stanford.edu> # Written by Russ Allbery <rra@stanford.edu>
# Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University # Copyright 2007, 2008, 2010, 2012
# The Board of Trustees of the Leland Stanford Junior University
# #
# Permission to use, copy, modify, and distribute this software and its # Permission to use, copy, modify, and distribute this software and its
# documentation for any purpose and without fee is hereby granted, provided # documentation for any purpose and without fee is hereby granted, provided
...@@ -263,6 +264,10 @@ EOH ...@@ -263,6 +264,10 @@ EOH
die "Usage: sync process\n" unless @args == 0; die "Usage: sync process\n" unless @args == 0;
process ($silent); process ($silent);
} elsif ($function eq 'password') { } elsif ($function eq 'password') {
if (@args == 2) {
local $/;
$args[2] = <STDIN>;
}
die "Usage: sync password <user> <system> <password>\n" unless @args == 3; die "Usage: sync password <user> <system> <password>\n" unless @args == 3;
queue_password (@args); queue_password (@args);
} elsif ($function eq 'purge') { } elsif ($function eq 'purge') {
...@@ -290,7 +295,7 @@ B<krb5-sync-backend> (help|list) ...@@ -290,7 +295,7 @@ B<krb5-sync-backend> (help|list)
B<krb5-sync-backend> [B<-s>] process B<krb5-sync-backend> [B<-s>] process
B<krb5-sync-backend> password I<user> ad I<password> B<krb5-sync-backend> password I<user> ad < I<password>
B<krb5-sync-backend> purge I<days> B<krb5-sync-backend> purge I<days>
...@@ -348,13 +353,17 @@ fails for a queued action, all other actions sharing the same username, ...@@ -348,13 +353,17 @@ fails for a queued action, all other actions sharing the same username,
domain, and action will be skipped and queue processing will continue with domain, and action will be skipped and queue processing will continue with
the next action that differs in one of those three parameters. the next action that differs in one of those three parameters.
=item password I<user> ad I<password> =item password I<user> ad < I<password>
Queue a password change for I<user> in Active Directory, setting their Queue a password change for I<user> in Active Directory, setting their
password to I<password>. Note that I<password> appears on the command password to I<password>. By default, I<password> is read from standard input.
line, so you don't want to invoke this command in any environment where an It can also be passed as a command-line argument, but this is less secure
untrusted user would be in a position to see the command-line arguments of since the password is then readable by anyone on the system who can see the
processes (which are generally readable to anyone on the system). command-line arguments of processes.
The entire standard input is taken as the password, including any trailing
newlines, so be careful how the password is provided. If using something like
B<echo>, use C<echo -n> or the C<\c> flag, depending on your system.
=item purge I<days> =item purge I<days>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment