Bug 1154877

Summary: [RFE] virt-who security
Product: Red Hat Enterprise Linux 6 Reporter: Thom Carlin <tcarlin>
Component: virt-whoAssignee: Radek Novacek <rnovacek>
Status: CLOSED ERRATA QA Contact: gaoshang <sgao>
Severity: medium Docs Contact: Laura Novich <lnovich>
Priority: unspecified    
Version: 6.6CC: gxing, jherrman, jhradile, nshaik, ovasik, rbalakri, rnovacek, sgao, shihliu, tcarlin, tlavigne, xdmoon
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: virt-who-0.12-1.el6 Doc Type: Release Note
Doc Text:
virt-who supports encrypted passwords Support for encrypted passwords has been added to the virt-who service. Previously, the passwords for external services were stored in the configuration file as plain text, which exposed the password to any user with read privileges. This update introduces the virt-who-password utility, which allows encrypted passwords to be stored in the virt-who configuration file. With this change, all users who open the virt-who configuration file will see the passwords as encrypted. The encrypted passwords can be decrypted by the root user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 07:15:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1154684, 1168221    

Description Thom Carlin 2014-10-20 22:25:28 UTC 
Description of problem:

/etc/sysconfig/virt-who contains plaintext passwords.  Customer requests hashed password

Version-Release number of selected component (if applicable):

6.6

How reproducible:

Every time

Steps to Reproduce:
1. Look at /etc/sysconfig/virt-who password variables
2.
3.

Actual results:

Plaintext passwords

Expected results:

Obscured passwords

Additional info:

Ideally, customer would like an easy way to update the passwords (i.e. 
"virt-who --old-password=old --new--password=new --hash-algorithm=SHA256")
Comment 5 Radek Novacek 2014-10-21 07:18:24 UTC 
This issue is solved by virt-who-password, that is present in virt-who >= 0.10.

This means that the bug is (will be) fixed in RHEL-6.6 and RHEL-7.1.

Please let me know if the solution (virt-who-password) is acceptable for the customer.
Comment 7 Radek Novacek 2014-10-29 11:21:24 UTC 
When using encrypted password, you need to use create config file in /etc/virt-who.d/ with following content:

[test]
type=esx
owner=<owner>
env=<env>
server=<vCenter_FQDN>
username=<username>
encrypted_password=<encrypeted_password>

See virt-who-config(5) manual page.
Comment 8 Thom Carlin 2014-12-02 19:35:35 UTC 
We did above (at another site)

Using /etc/virt-who.d/file with "password", it works
Using /etc/virt-who.d/file with "encrypted_password", we get "Cannot complete login due to an incorrect user name or password." then "ERROR: Unable to login to ESX"

We are running a fully patched RHEL 6.6 x86_64 VM (virt-who is 0.18-8.el6).

We also tried a second username with similar results.

Any suggestions?
Comment 9 Radek Novacek 2014-12-03 08:08:20 UTC 
Thom,

looks like this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1161604

It will be resolved in 6.7.
Comment 10 Radek Novacek 2015-02-27 19:34:46 UTC 
Fixed by rebase to virt-who-0.12-1.el6.
Comment 12 Liushihui 2015-04-02 07:25:56 UTC 
Virt-who can send host/guest associate to Satellite6.1.0/SAM when virt-who configure with encrypted password, Therefore, Verified it on virt-who-0.12-2.el6.noarch

Verified version:
virt-who-0.12-2.el6.noarch
subscription-manager-1.14.1-1.el6.x86_64
python-rhsm-1.14.1-1.el6.x86_64
Satellite-6.1.0-RHEL-7-20150331.1

Verified steps:
1. Register virt-who system to satellite/SAM. Configure virt-who under /etc/virt-who.d/ with encrypted password (virt-who-password).
[root@rhel6 ~]# virt-who-password 
Password: 
Use following as value for encrypted_password key in the configuration file:
5b88800af968f28cb59089f55bc01caf

[root@hp-z220-05 ~]# cat /etc/virt-who.d/virtwho 
[test-esx1]
type=esx
server=10.66.79.72
username=Administrator@vsphere.local
encrypted_password=5b88800af968f28cb59089f55bc01caf
owner=ACME_Corporation
env=Library
[root@hp-z220-05 ~]# vim /etc/sysconfig/virt-who 
VIRTWHO_BACKGROUND=1
VIRTWHO_DEBUG=1

2. Restart virt-who services.
[root@hp-z220-05 ~]# service virt-who restart
Stopping virt-who:                                         [  OK  ]
Starting virt-who:                                         [  OK  ]

3.Check the log in the /var/log/rhsm/rhsm.log, It hasn't show any error message.
virt-who send host/guest mapping to satellite/SAM
2015-04-01 03:35:27,745 [DEBUG]  @esx.py:51 - Log into ESX
2015-04-01 03:35:28,759 [DEBUG]  @esx.py:54 - Creating ESX event filter
2015-04-01 03:35:29,079 [DEBUG]  @esx.py:113 - Waiting for ESX changes
2015-04-01 03:35:29,093 [INFO]  @subscriptionmanager.py:124 - Sending update in hosts-to-guests mapping: {564ddb0f-caf1-7df2-579c-2f5a43bbac65: [420e3b44-d7b1-856c-e60c-5d7442bf137c], aee4ff00-8c33-11e2-994a-6c3be51d959a: [], 86b2bd00-8bad-11e2-87f4-6c3be514699d: [4224a77f-1c50-42cb-3507-2b68b447ed60, 4224e5d2-4fcf-2bc2-2559-5846035d3a78]}
Comment 13 errata-xmlrpc 2015-07-22 07:15:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1377.html