RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 972276 - RHSM saves the password of proxy server as plain-text
Summary: RHSM saves the password of proxy server as plain-text
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jesus M. Rodriguez
QA Contact: John Sefler
URL:
Whiteboard:
Depends On:
Blocks: rhsm-rhel70
TreeView+ depends on / blocked
 
Reported: 2013-06-08 05:59 UTC by wanghui
Modified: 2023-09-14 01:45 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-10 14:24:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1031755 1 None None None 2021-01-20 06:05:38 UTC

Internal Links: 1031755

Description wanghui 2013-06-08 05:59:40 UTC 
Description of problem:
It should not to save the password of proxy server as plain-text in rhsm.conf.

Version-Release number of selected component (if applicable):
rhev-hypervisor6-6.4-20130528.0.el6_4
ovirt-node-2.5.0-17.el6_4.5.noarch

How reproducible:
100%

Steps to Reproduce:
1. Clear install RHEV-H.
2. Configure network with dhcp.
3. On the Red Hat Network page, register using "Subscription Asset Manager" mode with proxy server.
4. Check the /etc/rhsm/rhsm.conf file.

Actual results:
After step4, you can find the password of proxy server is saved as plain-text.

Expected results:
After step4,it should not to save the password of proxy server as plain-text in rhsm.conf.

Additional info:
Please feel free to transfer component if there is any inappropriate.
Comment 1 wanghui 2013-06-08 09:38:59 UTC 
And it is the same as in RHEL6.4.
Comment 3 Jesus M. Rodriguez 2013-11-25 21:37:24 UTC 
We opted to respect the http(s)_proxy environment variables similar to yum and curl. We will *not* encrypt the password in the conf file.

subscription-manager will use the value in the config if it exists or look
at the environment for one of the environment variables that may have the
proxy information.

https://github.com/candlepin/subscription-manager/pull/826
Comment 4 Carter Kozak 2014-01-17 21:51:56 UTC 
This was fixed with environment variable support, you are no longer required to store the password in plain text.
Comment 5 Carter Kozak 2014-01-27 15:42:13 UTC 
This is in the errata
Comment 6 John Sefler 2014-01-27 20:51:39 UTC 
Development is proposing that their fix for bug 1031755 should be applied as their solution for this bug too.  Hence, the detailed "Steps to Reproduce" in comment 0 will continue to fail. Alternatively, the revised steps should be...

0. set an environment variable in your shell session; for example...
   HTTPS_PROXY=https://username:password@proxyserver:proxyport
1. Clear install RHEV-H.
2. Configure network with dhcp.
3. On the Red Hat Network page, register using "Subscription Asset Manager" mode (DO NOT SELECT with proxy server).
4. Check the /etc/rhsm/rhsm.conf file.

After step4, the rhsm.conf will not have any value set for the server proxy_* configurations.  Instead, traffic will flow through the proxy defined by your HTTPS_PROXY environment variable.

Note: If you specify a proxy server and credentials in step 3, these will be the values used to connect to the proxy server and they will be saved to /rhsm.conf in plain text.
Comment 7 John Sefler 2014-02-11 23:29:19 UTC 
As indicated in comment 6, setting an environment variable prior to starting firstboot will now cause registration to flow through the proxy as follows...

[root@jsefler-7 ~]# HTTPS_PROXY=https://redhat:redhat@auto-services.usersys.redhat.com:3128 firstboot

This will start firstboot through which you can register with your chosen serverurl without setting any proxy configurations.
You can also tail your proxy server log and see the traffic go through it like this...
[root@auto-services ~]# tail -f /var/log/squid/access.log
1392174969.787   1556 10.16.6.79 TCP_MISS/200 1198 CONNECT jsefler-f14-candlepin.usersys.redhat.com:8443 redhat DIRECT/10.16.7.99 -

Then after registering, you will see that the rhsm.conf remains proxy free, like this...
[root@jsefler-7 ~]# grep proxy /etc/rhsm/rhsm.conf
# an http proxy server to use
proxy_hostname =
# port for http proxy server
proxy_port =
# user name for authenticating to an http proxy, if needed
proxy_user =
# password for basic http proxy auth, if needed
proxy_password =

VERIFIED: No proxy password was saved in plain text, yet registration successfully passed through the proxy server.
Comment 8 Ludek Smid 2014-06-13 09:26:59 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Comment 15 Nikita Parmar 2017-08-10 11:55:34 UTC 
Hello,

I have a case where customer is looking for encrypted(non readable) entries for Username and Password in /etc/rhsm/rhsm.conf file.

Customers cannot configure http proxy which is a suggested workaround.

Hence re-opening the bugzilla, as customer is looking for a fix.

Thank you.
Comment 16 Chris Snyder 2017-08-10 14:21:48 UTC 
As a workaround, we suggest that the customer create a file which has permissions restricting access to only those users who should know the proxy password. This file should be used to setup the environment variable for the proxy.

For example root user's .bashrc could be used for this purpose.


Is this an acceptable solution for the customer?
Comment 18 Red Hat Bugzilla 2023-09-14 01:45:21 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.