Bug 972276

Summary: RHSM saves the password of proxy server as plain-text
Product: Red Hat Enterprise Linux 7 Reporter: wanghui <huiwa>
Component: subscription-managerAssignee: Jesus M. Rodriguez <jesusr>
Status: CLOSED CURRENTRELEASE QA Contact: John Sefler <jsefler>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: bkearney, ckozak, cshao, csnyder, gouyang, hadong, jesusr, jsefler, leiwang, liliu, mtaru, niparmar, redakkan, vrjain, yaniwang, ycui
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-10 14:24:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 863175    

Description wanghui 2013-06-08 05:59:40 UTC
Description of problem:
It should not to save the password of proxy server as plain-text in rhsm.conf.

Version-Release number of selected component (if applicable):
rhev-hypervisor6-6.4-20130528.0.el6_4
ovirt-node-2.5.0-17.el6_4.5.noarch

How reproducible:
100%

Steps to Reproduce:
1. Clear install RHEV-H.
2. Configure network with dhcp.
3. On the Red Hat Network page, register using "Subscription Asset Manager" mode with proxy server.
4. Check the /etc/rhsm/rhsm.conf file.

Actual results:
After step4, you can find the password of proxy server is saved as plain-text.

Expected results:
After step4,it should not to save the password of proxy server as plain-text in rhsm.conf.

Additional info:
Please feel free to transfer component if there is any inappropriate.

Comment 1 wanghui 2013-06-08 09:38:59 UTC
And it is the same as in RHEL6.4.

Comment 3 Jesus M. Rodriguez 2013-11-25 21:37:24 UTC
We opted to respect the http(s)_proxy environment variables similar to yum and curl. We will *not* encrypt the password in the conf file.

subscription-manager will use the value in the config if it exists or look
at the environment for one of the environment variables that may have the
proxy information.

https://github.com/candlepin/subscription-manager/pull/826

Comment 4 Carter Kozak 2014-01-17 21:51:56 UTC
This was fixed with environment variable support, you are no longer required to store the password in plain text.

Comment 5 Carter Kozak 2014-01-27 15:42:13 UTC
This is in the errata

Comment 6 John Sefler 2014-01-27 20:51:39 UTC
Development is proposing that their fix for bug 1031755 should be applied as their solution for this bug too.  Hence, the detailed "Steps to Reproduce" in comment 0 will continue to fail. Alternatively, the revised steps should be...

0. set an environment variable in your shell session; for example...
   HTTPS_PROXY=https://username:password@proxyserver:proxyport
1. Clear install RHEV-H.
2. Configure network with dhcp.
3. On the Red Hat Network page, register using "Subscription Asset Manager" mode (DO NOT SELECT with proxy server).
4. Check the /etc/rhsm/rhsm.conf file.

After step4, the rhsm.conf will not have any value set for the server proxy_* configurations.  Instead, traffic will flow through the proxy defined by your HTTPS_PROXY environment variable.

Note: If you specify a proxy server and credentials in step 3, these will be the values used to connect to the proxy server and they will be saved to /rhsm.conf in plain text.

Comment 7 John Sefler 2014-02-11 23:29:19 UTC
As indicated in comment 6, setting an environment variable prior to starting firstboot will now cause registration to flow through the proxy as follows...

[root@jsefler-7 ~]# HTTPS_PROXY=https://redhat:redhat@auto-services.usersys.redhat.com:3128 firstboot

This will start firstboot through which you can register with your chosen serverurl without setting any proxy configurations.
You can also tail your proxy server log and see the traffic go through it like this...
[root@auto-services ~]# tail -f /var/log/squid/access.log
1392174969.787   1556 10.16.6.79 TCP_MISS/200 1198 CONNECT jsefler-f14-candlepin.usersys.redhat.com:8443 redhat DIRECT/10.16.7.99 -

Then after registering, you will see that the rhsm.conf remains proxy free, like this...
[root@jsefler-7 ~]# grep proxy /etc/rhsm/rhsm.conf
# an http proxy server to use
proxy_hostname =
# port for http proxy server
proxy_port =
# user name for authenticating to an http proxy, if needed
proxy_user =
# password for basic http proxy auth, if needed
proxy_password =

VERIFIED: No proxy password was saved in plain text, yet registration successfully passed through the proxy server.

Comment 8 Ludek Smid 2014-06-13 09:26:59 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Comment 15 Nikita Parmar 2017-08-10 11:55:34 UTC
Hello,

I have a case where customer is looking for encrypted(non readable) entries for Username and Password in /etc/rhsm/rhsm.conf file.

Customers cannot configure http proxy which is a suggested workaround.

Hence re-opening the bugzilla, as customer is looking for a fix.

Thank you.

Comment 16 Chris Snyder 2017-08-10 14:21:48 UTC
As a workaround, we suggest that the customer create a file which has permissions restricting access to only those users who should know the proxy password. This file should be used to setup the environment variable for the proxy.

For example root user's .bashrc could be used for this purpose.


Is this an acceptable solution for the customer?

Comment 18 Red Hat Bugzilla 2023-09-14 01:45:21 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days