Bug 2162075

Summary: [RFE] Activation Keys to act like passwords.
Product: Red Hat Satellite Reporter: Vedashree Deshpande <vdeshpan>
Component: Activation KeysAssignee: satellite6-bugs <satellite6-bugs>
Status: NEW --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.11.0CC: chrobert
Target Milestone: UnspecifiedKeywords: FutureFeature
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vedashree Deshpande 2023-01-18 17:35:43 UTC 
Description of problem:
if the AK is already created and a malicious user gets it somehow then it can be used to register hosts without any other information which will be missuse of subscription counts. 

Instead of having users register by activation key name, a more secure "key" should be available (eg. 32 character hash or similar). In this manner they could still name activation keys with readable/referencable names but would use the cryptic key with subscription-manager.


Version-Release number of selected component (if applicable):
satellite 6


Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1095435
Comment 1 Marek Hulan 2023-02-01 13:18:59 UTC 
The user can already create keys that are e.g. 32 characters long. And it's definitely a good practice if the AK is not something that people could guess or easily read over shoulder. Each key can have a description which users can search by. We should perhaps display it also in the table where we list activation keys. Would that work?
Comment 4 Chris Roberts 2023-05-17 15:43:28 UTC 
+1 to the feature, setting team_triaged flag