Bug 972276
Summary: | RHSM saves the password of proxy server as plain-text | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | wanghui <huiwa> |
Component: | subscription-manager | Assignee: | Jesus M. Rodriguez <jesusr> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | John Sefler <jsefler> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | bkearney, ckozak, cshao, csnyder, gouyang, hadong, jesusr, jsefler, leiwang, liliu, mtaru, niparmar, redakkan, vrjain, yaniwang, ycui |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-10 14:24:49 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 863175 |
Description
wanghui
2013-06-08 05:59:40 UTC
And it is the same as in RHEL6.4. We opted to respect the http(s)_proxy environment variables similar to yum and curl. We will *not* encrypt the password in the conf file. subscription-manager will use the value in the config if it exists or look at the environment for one of the environment variables that may have the proxy information. https://github.com/candlepin/subscription-manager/pull/826 This was fixed with environment variable support, you are no longer required to store the password in plain text. This is in the errata Development is proposing that their fix for bug 1031755 should be applied as their solution for this bug too. Hence, the detailed "Steps to Reproduce" in comment 0 will continue to fail. Alternatively, the revised steps should be... 0. set an environment variable in your shell session; for example... HTTPS_PROXY=https://username:password@proxyserver:proxyport 1. Clear install RHEV-H. 2. Configure network with dhcp. 3. On the Red Hat Network page, register using "Subscription Asset Manager" mode (DO NOT SELECT with proxy server). 4. Check the /etc/rhsm/rhsm.conf file. After step4, the rhsm.conf will not have any value set for the server proxy_* configurations. Instead, traffic will flow through the proxy defined by your HTTPS_PROXY environment variable. Note: If you specify a proxy server and credentials in step 3, these will be the values used to connect to the proxy server and they will be saved to /rhsm.conf in plain text. As indicated in comment 6, setting an environment variable prior to starting firstboot will now cause registration to flow through the proxy as follows... [root@jsefler-7 ~]# HTTPS_PROXY=https://redhat:redhat@auto-services.usersys.redhat.com:3128 firstboot This will start firstboot through which you can register with your chosen serverurl without setting any proxy configurations. You can also tail your proxy server log and see the traffic go through it like this... [root@auto-services ~]# tail -f /var/log/squid/access.log 1392174969.787 1556 10.16.6.79 TCP_MISS/200 1198 CONNECT jsefler-f14-candlepin.usersys.redhat.com:8443 redhat DIRECT/10.16.7.99 - Then after registering, you will see that the rhsm.conf remains proxy free, like this... [root@jsefler-7 ~]# grep proxy /etc/rhsm/rhsm.conf # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = VERIFIED: No proxy password was saved in plain text, yet registration successfully passed through the proxy server. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. Hello, I have a case where customer is looking for encrypted(non readable) entries for Username and Password in /etc/rhsm/rhsm.conf file. Customers cannot configure http proxy which is a suggested workaround. Hence re-opening the bugzilla, as customer is looking for a fix. Thank you. As a workaround, we suggest that the customer create a file which has permissions restricting access to only those users who should know the proxy password. This file should be used to setup the environment variable for the proxy. For example root user's .bashrc could be used for this purpose. Is this an acceptable solution for the customer? The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |