Package: python-keystoneclient / 2012.1-3+deb7u1

CVE-2013-2013.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
From f2e0818bc97bfbeba83f6abbb07909a8debcad77 Mon Sep 17 00:00:00 2001
From: Pradeep Kilambi <pkilambi@cisco.com>
Date: Thu, 9 May 2013 09:29:02 -0700
Subject: [PATCH] Allow secure user password update.

This patch allows the ability for user password to be updated via
a command prompt so the password doesnt show up in the bash history.
The prompted password is asked twice to verify the match.
If user cntl-D's the prompt a message appears suggesting user to use
either of the options to update the password.

Fixes: bug#938315

Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39
---
 keystoneclient/utils.py      |   23 ++++++++++++++++++++++-
 keystoneclient/v2_0/shell.py |   10 ++++++++--
 2 files changed, 30 insertions(+), 3 deletions(-)

Index: python-keystoneclient/keystoneclient/utils.py
===================================================================
--- python-keystoneclient.orig/keystoneclient/utils.py
+++ python-keystoneclient/keystoneclient/utils.py
@@ -1,3 +1,5 @@
+import getpass
+import sys
 import uuid
 
 import prettytable
@@ -95,3 +97,22 @@ def string_to_bool(arg):
         return arg
 
     return arg.strip().lower() in ('t', 'true', 'yes', '1')
+
+
+def prompt_for_password():
+    """
+     Prompt user for password if not provided so the password
+     doesn't show up in the bash history.
+    """
+    if not (hasattr(sys.stdin, 'isatty') and sys.stdin.isatty()):
+        # nothing to do
+        return
+
+    while True:
+        try:
+            new_passwd = getpass.getpass('New Password: ')
+            rep_passwd = getpass.getpass('Repeat New Password: ')
+            if new_passwd == rep_passwd:
+                return new_passwd
+        except EOFError:
+            return
Index: python-keystoneclient/keystoneclient/v2_0/shell.py
===================================================================
--- python-keystoneclient.orig/keystoneclient/v2_0/shell.py
+++ python-keystoneclient/keystoneclient/v2_0/shell.py
@@ -15,6 +15,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import sys
+
 from keystoneclient.v2_0 import client
 from keystoneclient import utils
 
@@ -82,12 +84,17 @@ def do_user_update(kc, args):
         print 'Unable to update user: %s' % e
 
 
-@utils.arg('--pass', metavar='<password>', dest='passwd', required=True,
+@utils.arg('--pass', metavar='<password>', dest='passwd', required=False,
            help='Desired new password')
 @utils.arg('id', metavar='<user-id>', help='User ID to update')
 def do_user_password_update(kc, args):
     """Update user password"""
-    kc.users.update_password(args.id, args.passwd)
+    new_passwd = args.passwd or utils.prompt_for_password()
+    if new_passwd is None:
+        msg = ("\nPlease specify password using the --pass option "
+               "or using the prompt")
+        sys.exit(msg)
+    kc.users.update_password(args.id, new_passwd)
 
 
 @utils.arg('id', metavar='<user-id>', help='User ID to delete')