Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 816935 - RFE: Provide possibility to encrypt/obfuscate plaintext passwords
Summary: RFE: Provide possibility to encrypt/obfuscate plaintext passwords
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Subscription Management
Version: 6.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Hayk Hovsepyan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-27 10:36 UTC by Lukas Zapletal
Modified: 2019-09-25 21:11 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
This feature changes the standard candlepin configuration file password, which was stored on plain text. The candlepin password is stored in an encrypted format.
Clone Of:
Environment:
Last Closed: 2012-12-04 19:44:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1543 0 normal SHIPPED_LIVE Important: CloudForms System Engine 1.1 update 2012-12-05 00:39:57 UTC

Description Lukas Zapletal 2012-04-27 10:36:32 UTC 
Hello,

for Katello we need a way to obfuscate all plaintext passwords in the Candlepin configuration. Currently I see only postgresql password that would apply.

We currently have a tool in Katello that allows to encrypt passwords to the format that Katello understands ($1$BASE64ENCODEDPW=). Would be best to implement similar approach for Candlepin.

If you use different approach, please make sure password can be encoded by our Puppet installer (simple Ruby function, openssl library avaiable in Katello). Here are details of our tool: https://github.com/Katello/katello/pull/50

Thanks
Comment 2 Lukas Zapletal 2012-05-02 07:34:52 UTC 
More info: the best approach would be to have a passphrase stored in an external config file that would be configurable in Candlepin configuration. Access to this file would be very restricted using SELinux (only katello and candlepin processes).
Comment 3 Ivan Necas 2012-05-17 07:37:09 UTC 
Fix in commit 388c6a1d2a623845a089aac7d0b5c44e5348abab merged to master
Comment 4 Ivan Necas 2012-05-17 11:15:20 UTC 
For record some fixes for development environment problems after the previous commit were made in commits:

2758e4f5a7ed44e97434dcf708bd31d345fff6d2
fa590870c62627df0dc08d9cc79b01bf38c2a4ce
Comment 6 Ivan Necas 2012-10-04 12:27:46 UTC 
The commits in my comments don't relate to the issue, this is the right pull request https://github.com/Katello/katello/pull/228
Comment 7 Ivan Necas 2012-10-04 12:28:59 UTC 
How to verify:

Take the credentials in /etc/candlepin/candlepin.conf

Try to use them to log into the database: should fail.
Comment 8 Corey Welton 2012-10-25 13:37:12 UTC 
Going to consider this QE verified. I can see the change in the conf file. 

Trying to actually test it was more tricky, though. By default, our db config is set to 'trust' on localhost, so users will be able to login no matter what, even if they prompt for password and enter something incorrect.

Subsequently, I have taken a few different steps to try logging into postgresql (making changes to the pg_hba.conf, etc., to allow remote logins requiring ident) and was not able to simply login w/ the obfuscated password. 

CloudForms System Engine Version: 1.1.12-17.el6cf
Comment 10 errata-xmlrpc 2012-12-04 19:44:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html
Note You need to log in before you can comment on or make changes to this bug.