Bug 816935 - RFE: Provide possibility to encrypt/obfuscate plaintext passwords
Summary: RFE: Provide possibility to encrypt/obfuscate plaintext passwords
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Subscription Management
Version: 6.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Hayk Hovsepyan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-27 10:36 UTC by Lukas Zapletal
Modified: 2019-09-25 21:11 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
This feature changes the standard candlepin configuration file password, which was stored on plain text. The candlepin password is stored in an encrypted format.
Clone Of:
Environment:
Last Closed: 2012-12-04 19:44:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1543 0 normal SHIPPED_LIVE Important: CloudForms System Engine 1.1 update 2012-12-05 00:39:57 UTC

Description Lukas Zapletal 2012-04-27 10:36:32 UTC
Hello,

for Katello we need a way to obfuscate all plaintext passwords in the Candlepin configuration. Currently I see only postgresql password that would apply.

We currently have a tool in Katello that allows to encrypt passwords to the format that Katello understands ($1$BASE64ENCODEDPW=). Would be best to implement similar approach for Candlepin.

If you use different approach, please make sure password can be encoded by our Puppet installer (simple Ruby function, openssl library avaiable in Katello). Here are details of our tool: https://github.com/Katello/katello/pull/50

Thanks

Comment 2 Lukas Zapletal 2012-05-02 07:34:52 UTC
More info: the best approach would be to have a passphrase stored in an external config file that would be configurable in Candlepin configuration. Access to this file would be very restricted using SELinux (only katello and candlepin processes).

Comment 3 Ivan Necas 2012-05-17 07:37:09 UTC
Fix in commit 388c6a1d2a623845a089aac7d0b5c44e5348abab merged to master

Comment 4 Ivan Necas 2012-05-17 11:15:20 UTC
For record some fixes for development environment problems after the previous commit were made in commits:

2758e4f5a7ed44e97434dcf708bd31d345fff6d2
fa590870c62627df0dc08d9cc79b01bf38c2a4ce

Comment 6 Ivan Necas 2012-10-04 12:27:46 UTC
The commits in my comments don't relate to the issue, this is the right pull request https://github.com/Katello/katello/pull/228

Comment 7 Ivan Necas 2012-10-04 12:28:59 UTC
How to verify:

Take the credentials in /etc/candlepin/candlepin.conf

Try to use them to log into the database: should fail.

Comment 8 Corey Welton 2012-10-25 13:37:12 UTC
Going to consider this QE verified. I can see the change in the conf file. 

Trying to actually test it was more tricky, though. By default, our db config is set to 'trust' on localhost, so users will be able to login no matter what, even if they prompt for password and enter something incorrect.

Subsequently, I have taken a few different steps to try logging into postgresql (making changes to the pg_hba.conf, etc., to allow remote logins requiring ident) and was not able to simply login w/ the obfuscated password. 

CloudForms System Engine Version: 1.1.12-17.el6cf

Comment 10 errata-xmlrpc 2012-12-04 19:44:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html


Note You need to log in before you can comment on or make changes to this bug.