pyrox.dev
lol
kanidm: don't log provisioned passwords via instrumentation
This also make sure to test this in the related nixos test.
Fixes: CVE-2025-30205
Reported-By: Katherina Walshe-Grey <qenya@qenya.tel>
+10
-3
+4
nixos/tests/kanidm-provisioning.nix
+4
nixos/tests/kanidm-provisioning.nix
···
306
306
provision.succeed('${specialisations}/credentialProvision/bin/switch-to-configuration test')
307
307
provision_login("${provisionIdmAdminPassword}")
308
308
309
+
# Make sure neither password is logged
310
+
provision.fail("journalctl --since -10m --unit kanidm.service --grep '${provisionAdminPassword}'")
311
+
provision.fail("journalctl --since -10m --unit kanidm.service --grep '${provisionIdmAdminPassword}'")
312
+
309
313
# Test provisioned admin pw
310
314
out = provision.succeed("KANIDM_PASSWORD=${provisionAdminPassword} kanidm login -D admin")
311
315
assert_contains(out, "Login Success for admin")
+2
-1
pkgs/by-name/ka/kanidm/patches/1_3/recover-account.patch
+2
-1
pkgs/by-name/ka/kanidm/patches/1_3/recover-account.patch
+2
-1
pkgs/by-name/ka/kanidm/patches/1_4/recover-account.patch
+2
-1
pkgs/by-name/ka/kanidm/patches/1_4/recover-account.patch
+2
-1
pkgs/by-name/ka/kanidm/patches/1_5/recover-account.patch
+2
-1
pkgs/by-name/ka/kanidm/patches/1_5/recover-account.patch