Bug 1154877 - [RFE] virt-who security
Summary: [RFE] virt-who security
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: virt-who
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Radek Novacek
QA Contact: gaoshang
Laura Novich
URL:
Whiteboard:
Depends On:
Blocks: 1154684 1168221
TreeView+ depends on / blocked
 
Reported: 2014-10-20 22:25 UTC by Thom Carlin
Modified: 2016-12-01 00:35 UTC (History)
12 users (show)

Fixed In Version: virt-who-0.12-1.el6
Doc Type: Release Note
Doc Text:
virt-who supports encrypted passwords Support for encrypted passwords has been added to the virt-who service. Previously, the passwords for external services were stored in the configuration file as plain text, which exposed the password to any user with read privileges. This update introduces the virt-who-password utility, which allows encrypted passwords to be stored in the virt-who configuration file. With this change, all users who open the virt-who configuration file will see the passwords as encrypted. The encrypted passwords can be decrypted by the root user.
Clone Of:
Environment:
Last Closed: 2015-07-22 07:15:20 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1377 normal SHIPPED_LIVE virt-who bug fix and enhancement update 2015-07-20 17:58:35 UTC

Description Thom Carlin 2014-10-20 22:25:28 UTC
Description of problem:

/etc/sysconfig/virt-who contains plaintext passwords.  Customer requests hashed password

Version-Release number of selected component (if applicable):

6.6

How reproducible:

Every time

Steps to Reproduce:
1. Look at /etc/sysconfig/virt-who password variables
2.
3.

Actual results:

Plaintext passwords

Expected results:

Obscured passwords

Additional info:

Ideally, customer would like an easy way to update the passwords (i.e. 
"virt-who --old-password=old --new--password=new --hash-algorithm=SHA256")

Comment 5 Radek Novacek 2014-10-21 07:18:24 UTC
This issue is solved by virt-who-password, that is present in virt-who >= 0.10.

This means that the bug is (will be) fixed in RHEL-6.6 and RHEL-7.1.

Please let me know if the solution (virt-who-password) is acceptable for the customer.

Comment 7 Radek Novacek 2014-10-29 11:21:24 UTC
When using encrypted password, you need to use create config file in /etc/virt-who.d/ with following content:

[test]
type=esx
owner=<owner>
env=<env>
server=<vCenter_FQDN>
username=<username>
encrypted_password=<encrypeted_password>

See virt-who-config(5) manual page.

Comment 8 Thom Carlin 2014-12-02 19:35:35 UTC
We did above (at another site)

Using /etc/virt-who.d/file with "password", it works
Using /etc/virt-who.d/file with "encrypted_password", we get "Cannot complete login due to an incorrect user name or password." then "ERROR: Unable to login to ESX"

We are running a fully patched RHEL 6.6 x86_64 VM (virt-who is 0.18-8.el6).

We also tried a second username with similar results.

Any suggestions?

Comment 9 Radek Novacek 2014-12-03 08:08:20 UTC
Thom,

looks like this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1161604

It will be resolved in 6.7.

Comment 10 Radek Novacek 2015-02-27 19:34:46 UTC
Fixed by rebase to virt-who-0.12-1.el6.

Comment 12 Liushihui 2015-04-02 07:25:56 UTC
Virt-who can send host/guest associate to Satellite6.1.0/SAM when virt-who configure with encrypted password, Therefore, Verified it on virt-who-0.12-2.el6.noarch

Verified version:
virt-who-0.12-2.el6.noarch
subscription-manager-1.14.1-1.el6.x86_64
python-rhsm-1.14.1-1.el6.x86_64
Satellite-6.1.0-RHEL-7-20150331.1

Verified steps:
1. Register virt-who system to satellite/SAM. Configure virt-who under /etc/virt-who.d/ with encrypted password (virt-who-password).
[root@rhel6 ~]# virt-who-password 
Password: 
Use following as value for encrypted_password key in the configuration file:
5b88800af968f28cb59089f55bc01caf

[root@hp-z220-05 ~]# cat /etc/virt-who.d/virtwho 
[test-esx1]
type=esx
server=10.66.79.72
username=Administrator@vsphere.local
encrypted_password=5b88800af968f28cb59089f55bc01caf
owner=ACME_Corporation
env=Library
[root@hp-z220-05 ~]# vim /etc/sysconfig/virt-who 
VIRTWHO_BACKGROUND=1
VIRTWHO_DEBUG=1

2. Restart virt-who services.
[root@hp-z220-05 ~]# service virt-who restart
Stopping virt-who:                                         [  OK  ]
Starting virt-who:                                         [  OK  ]

3.Check the log in the /var/log/rhsm/rhsm.log, It hasn't show any error message.
virt-who send host/guest mapping to satellite/SAM
2015-04-01 03:35:27,745 [DEBUG]  @esx.py:51 - Log into ESX
2015-04-01 03:35:28,759 [DEBUG]  @esx.py:54 - Creating ESX event filter
2015-04-01 03:35:29,079 [DEBUG]  @esx.py:113 - Waiting for ESX changes
2015-04-01 03:35:29,093 [INFO]  @subscriptionmanager.py:124 - Sending update in hosts-to-guests mapping: {564ddb0f-caf1-7df2-579c-2f5a43bbac65: [420e3b44-d7b1-856c-e60c-5d7442bf137c], aee4ff00-8c33-11e2-994a-6c3be51d959a: [], 86b2bd00-8bad-11e2-87f4-6c3be514699d: [4224a77f-1c50-42cb-3507-2b68b447ed60, 4224e5d2-4fcf-2bc2-2559-5846035d3a78]}

Comment 13 errata-xmlrpc 2015-07-22 07:15:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1377.html


Note You need to log in before you can comment on or make changes to this bug.