for Katello we need a way to obfuscate all plaintext passwords in the Candlepin configuration. Currently I see only postgresql password that would apply.
We currently have a tool in Katello that allows to encrypt passwords to the format that Katello understands ($1$BASE64ENCODEDPW=). Would be best to implement similar approach for Candlepin.
If you use different approach, please make sure password can be encoded by our Puppet installer (simple Ruby function, openssl library avaiable in Katello). Here are details of our tool: https://github.com/Katello/katello/pull/50
More info: the best approach would be to have a passphrase stored in an external config file that would be configurable in Candlepin configuration. Access to this file would be very restricted using SELinux (only katello and candlepin processes).
Fix in commit 388c6a1d2a623845a089aac7d0b5c44e5348abab merged to master
For record some fixes for development environment problems after the previous commit were made in commits:
The commits in my comments don't relate to the issue, this is the right pull request https://github.com/Katello/katello/pull/228
How to verify:
Take the credentials in /etc/candlepin/candlepin.conf
Try to use them to log into the database: should fail.
Going to consider this QE verified. I can see the change in the conf file.
Trying to actually test it was more tricky, though. By default, our db config is set to 'trust' on localhost, so users will be able to login no matter what, even if they prompt for password and enter something incorrect.
Subsequently, I have taken a few different steps to try logging into postgresql (making changes to the pg_hba.conf, etc., to allow remote logins requiring ident) and was not able to simply login w/ the obfuscated password.
CloudForms System Engine Version: 1.1.12-17.el6cf
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.