Bug 1958664

Summary: [RFE]  Replace bcrypt hash function with (FIPS-approved / NIST recommended) encryption algorithm for internal passwords in the Satellite.
Product: Red Hat Satellite Reporter: Satyajit Das <sadas>
Component: AuthenticationAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Omkar Khatavkar <okhatavk>
Severity: high Docs Contact:
Priority: high    
Version: 6.9.0CC: aruzicka, egolov, ehelms, lzap, mhulan, parmstro, tbrisker, thadzhie, vijsingh
Target Milestone: 6.11.0Keywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-3.1.1.10-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-05 14:28:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Satyajit Das 2021-05-09 16:46:19 UTC 
Description of problem:

Satellite uses bcrypt for password hashing, introduced in Satellite version 6.7 link[1], and bcrypt is based on the Blowfish cipher and blowfish is not fips compliant, so the STIG scanner is raising an exception that the database appears to use non-FIPS compliant encryption.




Version-Release number of selected component (if applicable):

6.9


Expected results:

Replace bcrypt hash function with (FIPS-approved / NIST recommended) encryption algorithm for internal passwords in the Satellite.


Additional info:
Comment 1 Satyajit Das 2021-05-09 16:52:05 UTC 
[1]Bug 1814595 - User safer bcrypt hash function for internal passwords instead of sha1
https://bugzilla.redhat.com/show_bug.cgi?id=1814595
Comment 3 Bryan Kearney 2021-05-10 16:02:24 UTC 
Upstream bug assigned to lzap
Comment 4 Bryan Kearney 2021-05-10 16:02:26 UTC 
Upstream bug assigned to lzap
Comment 6 Bryan Kearney 2022-01-27 16:04:15 UTC 
Upstream bug assigned to lzap
Comment 7 Bryan Kearney 2022-01-27 16:04:17 UTC 
Upstream bug assigned to lzap
Comment 8 Bryan Kearney 2022-03-26 12:03:53 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/32572 has been resolved.
Comment 13 Omkar Khatavkar 2022-04-19 11:19:15 UTC 
verified on the satellite 6.11 with snap 16 working as expected.
Comment 17 errata-xmlrpc 2022-07-05 14:28:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498