From d628ee46d638731de58dea3e28a06a253d4c56cb Mon Sep 17 00:00:00 2001
From: "Bryn M. Reeves" <bmr@redhat.com>
Date: Thu, 1 Aug 2013 16:48:19 +0100
Subject: Do not collect krb5.keytab

Avoid collecting kerberos keytabs to prevent unintended
information disclosures. Instead retrieve a list using the klist
command.

Also remove the duplicative collection of this information from
the ipa plug-in (which should only be collecting non-system
keytabs that are specific to the IPA tools).

Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/ipa.py  | 1 -
 sos/plugins/krb5.py | 5 ++---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/sos/plugins/ipa.py b/sos/plugins/ipa.py
index 3244f34d..0061659e 100644
--- a/sos/plugins/ipa.py
+++ b/sos/plugins/ipa.py
@@ -73,7 +73,6 @@ class Ipa(Plugin, RedHatPlugin):
 
         self.add_cmd_output("klist -ket /etc/dirsrv/ds.keytab")
         self.add_cmd_output("klist -ket /etc/httpd/conf/ipa.keytab")
-        self.add_cmd_output("klist -ket /etc/krb5.keytab")
 
         return
 
diff --git a/sos/plugins/krb5.py b/sos/plugins/krb5.py
index d9dca896..0d33094e 100644
--- a/sos/plugins/krb5.py
+++ b/sos/plugins/krb5.py
@@ -23,7 +23,6 @@ class Krb5(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
     plugin_name = 'krb5'
 
     def setup(self):
-        self.add_copy_specs([
-            "/etc/krb5.conf",
-            "/etc/krb5.keytab"])
+        self.add_copy_spec("/etc/krb5.conf")
+        self.add_cmd_output("klist -ket /etc/krb5.keytab")
 
-- 
cgit