Bug 972276 - RHSM saves the password of proxy server as plain-text [NEEDINFO]
RHSM saves the password of proxy server as plain-text
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager (Show other bugs)
7.0
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Jesus M. Rodriguez
John Sefler
: Reopened
Depends On:
Blocks: rhsm-rhel70
  Show dependency treegraph
 
Reported: 2013-06-08 01:59 EDT by wanghui
Modified: 2017-08-10 23:42 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-10 10:24:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
csnyder: needinfo? (niparmar)


Attachments (Terms of Use)

  None (edit)
Description wanghui 2013-06-08 01:59:40 EDT
Description of problem:
It should not to save the password of proxy server as plain-text in rhsm.conf.

Version-Release number of selected component (if applicable):
rhev-hypervisor6-6.4-20130528.0.el6_4
ovirt-node-2.5.0-17.el6_4.5.noarch

How reproducible:
100%

Steps to Reproduce:
1. Clear install RHEV-H.
2. Configure network with dhcp.
3. On the Red Hat Network page, register using "Subscription Asset Manager" mode with proxy server.
4. Check the /etc/rhsm/rhsm.conf file.

Actual results:
After step4, you can find the password of proxy server is saved as plain-text.

Expected results:
After step4,it should not to save the password of proxy server as plain-text in rhsm.conf.

Additional info:
Please feel free to transfer component if there is any inappropriate.
Comment 1 wanghui 2013-06-08 05:38:59 EDT
And it is the same as in RHEL6.4.
Comment 3 Jesus M. Rodriguez 2013-11-25 16:37:24 EST
We opted to respect the http(s)_proxy environment variables similar to yum and curl. We will *not* encrypt the password in the conf file.

subscription-manager will use the value in the config if it exists or look
at the environment for one of the environment variables that may have the
proxy information.

https://github.com/candlepin/subscription-manager/pull/826
Comment 4 Carter Kozak 2014-01-17 16:51:56 EST
This was fixed with environment variable support, you are no longer required to store the password in plain text.
Comment 5 Carter Kozak 2014-01-27 10:42:13 EST
This is in the errata
Comment 6 John Sefler 2014-01-27 15:51:39 EST
Development is proposing that their fix for bug 1031755 should be applied as their solution for this bug too.  Hence, the detailed "Steps to Reproduce" in comment 0 will continue to fail. Alternatively, the revised steps should be...

0. set an environment variable in your shell session; for example...
   HTTPS_PROXY=https://username:password@proxyserver:proxyport
1. Clear install RHEV-H.
2. Configure network with dhcp.
3. On the Red Hat Network page, register using "Subscription Asset Manager" mode (DO NOT SELECT with proxy server).
4. Check the /etc/rhsm/rhsm.conf file.

After step4, the rhsm.conf will not have any value set for the server proxy_* configurations.  Instead, traffic will flow through the proxy defined by your HTTPS_PROXY environment variable.

Note: If you specify a proxy server and credentials in step 3, these will be the values used to connect to the proxy server and they will be saved to /rhsm.conf in plain text.
Comment 7 John Sefler 2014-02-11 18:29:19 EST
As indicated in comment 6, setting an environment variable prior to starting firstboot will now cause registration to flow through the proxy as follows...

[root@jsefler-7 ~]# HTTPS_PROXY=https://redhat:redhat@auto-services.usersys.redhat.com:3128 firstboot

This will start firstboot through which you can register with your chosen serverurl without setting any proxy configurations.
You can also tail your proxy server log and see the traffic go through it like this...
[root@auto-services ~]# tail -f /var/log/squid/access.log
1392174969.787   1556 10.16.6.79 TCP_MISS/200 1198 CONNECT jsefler-f14-candlepin.usersys.redhat.com:8443 redhat DIRECT/10.16.7.99 -

Then after registering, you will see that the rhsm.conf remains proxy free, like this...
[root@jsefler-7 ~]# grep proxy /etc/rhsm/rhsm.conf
# an http proxy server to use
proxy_hostname =
# port for http proxy server
proxy_port =
# user name for authenticating to an http proxy, if needed
proxy_user =
# password for basic http proxy auth, if needed
proxy_password =

VERIFIED: No proxy password was saved in plain text, yet registration successfully passed through the proxy server.
Comment 8 Ludek Smid 2014-06-13 05:26:59 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Comment 15 Nikita Parmar 2017-08-10 07:55:34 EDT
Hello,

I have a case where customer is looking for encrypted(non readable) entries for Username and Password in /etc/rhsm/rhsm.conf file.

Customers cannot configure http proxy which is a suggested workaround.

Hence re-opening the bugzilla, as customer is looking for a fix.

Thank you.
Comment 16 Chris Snyder 2017-08-10 10:21:48 EDT
As a workaround, we suggest that the customer create a file which has permissions restricting access to only those users who should know the proxy password. This file should be used to setup the environment variable for the proxy.

For example root user's .bashrc could be used for this purpose.


Is this an acceptable solution for the customer?

Note You need to log in before you can comment on or make changes to this bug.