Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2129765

Summary: [RFE] Secure forman ssh key
Product: Red Hat Satellite Reporter: Cyril Lopez <cylopez>
Component: Remote ExecutionAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.11.3CC: aruzicka, bagasse, bhoppus, dsinglet, egolov, jesper.schmidt, wpinheir
Target Milestone: UnspecifiedKeywords: FutureFeature
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-20 13:16:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cyril Lopez 2022-09-26 09:32:05 UTC 
Description of problem:
Forman ssh key permit to connect on node managed by satellite to do remote execution like updating package on a errata.

but this key is very sensitive because it could be used to do root action on node register on satellite. In case of leak, it could be dramatic.

We should propose to use vault or HSM or TPM or any other way to secure this key.
Comment 2 Marek Hulan 2023-02-01 13:31:57 UTC 
There are two options for better hardening at this point. One is to start configuring the clients so they only accept to connection from Satellite and Capsules - tracked under https://bugzilla.redhat.com/show_bug.cgi?id=2160902. The other option that is available even with existing Satellite version is to add a passphrase to the key. That way, the key is protected even if stolen. The impact is, every user running the REX job would have to know and specify the passphrase for each REX job. Does that resolve the concern?
Comment 5 Dana Singleterry 2023-09-20 13:16:59 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.
Comment 6 Red Hat Bugzilla 2024-01-19 04:25:10 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days