Bug 816935

Summary: RFE: Provide possibility to encrypt/obfuscate plaintext passwords
Product: Red Hat Satellite Reporter: Lukas Zapletal <lzap>
Component: Subscription ManagementAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Hayk Hovsepyan <hhovsepy>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.0CC: achan, asettle, cwelton, dmacpher, inecas, mmccune, omaciel
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
This feature changes the standard candlepin configuration file password, which was stored on plain text. The candlepin password is stored in an encrypted format.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-04 19:44:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Zapletal 2012-04-27 10:36:32 UTC 
Hello,

for Katello we need a way to obfuscate all plaintext passwords in the Candlepin configuration. Currently I see only postgresql password that would apply.

We currently have a tool in Katello that allows to encrypt passwords to the format that Katello understands ($1$BASE64ENCODEDPW=). Would be best to implement similar approach for Candlepin.

If you use different approach, please make sure password can be encoded by our Puppet installer (simple Ruby function, openssl library avaiable in Katello). Here are details of our tool: https://github.com/Katello/katello/pull/50

Thanks
Comment 2 Lukas Zapletal 2012-05-02 07:34:52 UTC 
More info: the best approach would be to have a passphrase stored in an external config file that would be configurable in Candlepin configuration. Access to this file would be very restricted using SELinux (only katello and candlepin processes).
Comment 3 Ivan Necas 2012-05-17 07:37:09 UTC 
Fix in commit 388c6a1d2a623845a089aac7d0b5c44e5348abab merged to master
Comment 4 Ivan Necas 2012-05-17 11:15:20 UTC 
For record some fixes for development environment problems after the previous commit were made in commits:

2758e4f5a7ed44e97434dcf708bd31d345fff6d2
fa590870c62627df0dc08d9cc79b01bf38c2a4ce
Comment 6 Ivan Necas 2012-10-04 12:27:46 UTC 
The commits in my comments don't relate to the issue, this is the right pull request https://github.com/Katello/katello/pull/228
Comment 7 Ivan Necas 2012-10-04 12:28:59 UTC 
How to verify:

Take the credentials in /etc/candlepin/candlepin.conf

Try to use them to log into the database: should fail.
Comment 8 Corey Welton 2012-10-25 13:37:12 UTC 
Going to consider this QE verified. I can see the change in the conf file. 

Trying to actually test it was more tricky, though. By default, our db config is set to 'trust' on localhost, so users will be able to login no matter what, even if they prompt for password and enter something incorrect.

Subsequently, I have taken a few different steps to try logging into postgresql (making changes to the pg_hba.conf, etc., to allow remote logins requiring ident) and was not able to simply login w/ the obfuscated password. 

CloudForms System Engine Version: 1.1.12-17.el6cf
Comment 10 errata-xmlrpc 2012-12-04 19:44:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html