Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 816935 - RFE: Provide possibility to encrypt/obfuscate plaintext passwords
RFE: Provide possibility to encrypt/obfuscate plaintext passwords
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Subscription Management (Show other bugs)
6.0.0
Unspecified Unspecified
unspecified Severity medium (vote)
: Unspecified
: Unused
Assigned To: Lukas Zapletal
Hayk Hovsepyan
: FutureFeature, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-27 06:36 EDT by Lukas Zapletal
Modified: 2014-01-27 08:26 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
This feature changes the standard candlepin configuration file password, which was stored on plain text. The candlepin password is stored in an encrypted format.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-04 14:44:56 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1543 normal SHIPPED_LIVE Important: CloudForms System Engine 1.1 update 2012-12-04 19:39:57 EST

  None (edit)
Description Lukas Zapletal 2012-04-27 06:36:32 EDT 
Hello,

for Katello we need a way to obfuscate all plaintext passwords in the Candlepin configuration. Currently I see only postgresql password that would apply.

We currently have a tool in Katello that allows to encrypt passwords to the format that Katello understands ($1$BASE64ENCODEDPW=). Would be best to implement similar approach for Candlepin.

If you use different approach, please make sure password can be encoded by our Puppet installer (simple Ruby function, openssl library avaiable in Katello). Here are details of our tool: https://github.com/Katello/katello/pull/50

Thanks
Comment 2 Lukas Zapletal 2012-05-02 03:34:52 EDT 
More info: the best approach would be to have a passphrase stored in an external config file that would be configurable in Candlepin configuration. Access to this file would be very restricted using SELinux (only katello and candlepin processes).
Comment 3 Ivan Necas 2012-05-17 03:37:09 EDT 
Fix in commit 388c6a1d2a623845a089aac7d0b5c44e5348abab merged to master
Comment 4 Ivan Necas 2012-05-17 07:15:20 EDT 
For record some fixes for development environment problems after the previous commit were made in commits:

2758e4f5a7ed44e97434dcf708bd31d345fff6d2
fa590870c62627df0dc08d9cc79b01bf38c2a4ce
Comment 6 Ivan Necas 2012-10-04 08:27:46 EDT 
The commits in my comments don't relate to the issue, this is the right pull request https://github.com/Katello/katello/pull/228
Comment 7 Ivan Necas 2012-10-04 08:28:59 EDT 
How to verify:

Take the credentials in /etc/candlepin/candlepin.conf

Try to use them to log into the database: should fail.
Comment 8 Corey Welton 2012-10-25 09:37:12 EDT 
Going to consider this QE verified. I can see the change in the conf file. 

Trying to actually test it was more tricky, though. By default, our db config is set to 'trust' on localhost, so users will be able to login no matter what, even if they prompt for password and enter something incorrect.

Subsequently, I have taken a few different steps to try logging into postgresql (making changes to the pg_hba.conf, etc., to allow remote logins requiring ident) and was not able to simply login w/ the obfuscated password. 

CloudForms System Engine Version: 1.1.12-17.el6cf
Comment 10 errata-xmlrpc 2012-12-04 14:44:56 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.