Do not collect krb5.keytab

Avoid collecting kerberos keytabs to prevent unintended information disclosures. Instead retrieve a list using the klist command. Also remove the duplicative collection of this information from the ipa plug-in (which should only be collecting non-system keytabs that are specific to the IPA tools). Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
author: Bryn M. Reeves <bmr@redhat.com> 2013-08-01 16:48:19 +0100
committer: Bryn M. Reeves <bmr@redhat.com> 2013-08-01 16:52:13 +0100
commit: d628ee46d638731de58dea3e28a06a253d4c56cb (patch)
tree: cece66779229a7b46659ac3f4705fd8ff5519bb5
parent: 9042ad455c31ad4cb007b1b34f7d475331ef99e0 (diff)
download: sos-d628ee46d638731de58dea3e28a06a253d4c56cb.tar.gz
2 files changed, 2 insertions, 4 deletions
diff --git a/sos/plugins/ipa.py b/sos/plugins/ipa.py
index 3244f34d..0061659e 100644
--- a/sos/plugins/ipa.py
+++ b/sos/plugins/ipa.py
@@ -73,7 +73,6 @@ class Ipa(Plugin, RedHatPlugin):
 
         self.add_cmd_output("klist -ket /etc/dirsrv/ds.keytab")
         self.add_cmd_output("klist -ket /etc/httpd/conf/ipa.keytab")
-        self.add_cmd_output("klist -ket /etc/krb5.keytab")
 
         return
 
diff --git a/sos/plugins/krb5.py b/sos/plugins/krb5.py
index d9dca896..0d33094e 100644
--- a/sos/plugins/krb5.py
+++ b/sos/plugins/krb5.py
@@ -23,7 +23,6 @@ class Krb5(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
     plugin_name = 'krb5'
 
     def setup(self):
-        self.add_copy_specs([
-            "/etc/krb5.conf",
-            "/etc/krb5.keytab"])
+        self.add_copy_spec("/etc/krb5.conf")
+        self.add_cmd_output("klist -ket /etc/krb5.keytab")
author	Bryn M. Reeves <bmr@redhat.com>	2013-08-01 16:48:19 +0100
committer	Bryn M. Reeves <bmr@redhat.com>	2013-08-01 16:52:13 +0100
commit	d628ee46d638731de58dea3e28a06a253d4c56cb (patch)
tree	cece66779229a7b46659ac3f4705fd8ff5519bb5
parent	9042ad455c31ad4cb007b1b34f7d475331ef99e0 (diff)
download	sos-d628ee46d638731de58dea3e28a06a253d4c56cb.tar.gz