Uploaded image for project: 'RHEL Conversions'
  1. RHEL Conversions
  2. RHELC-432

Pass the rhsm password securely to subscription-manager

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Critical Critical
    • 0.25-4
    • None
    • convert2rhel
    • None
    • 8

      When convert2rhel registers a system with subscription-manager, it shells out to the subscription-manager program.  If the user gave convert2rhel a password to authenticate with subscription-manager, this ends up being passed on the subscription-manager command line.  Passing secrets on the command line is insecure because unprivileged users can read the process list which includes the command and all arguments to the command.

      In the short term we can handle this problem by invoking subscription-manager via pexpect.spawn() without giving it the password.  In this case, subscription-manager will interactively prompt for the password and we can then use pexpect to send the password.

      Longer term, subscription-manager is going to add the ability to pass the password via a file and we can then use that to pass in the password:

      https://issues.redhat.com/browse/ENT-4724

      Embargo lift date: TBD

        1. 0000-backport-Do-not-put-the-subscription-manager-password-onto-th.patch
          56 kB
        2. 0000-Do-not-put-the-subscription-manager-password-onto-th.patch
          59 kB
        3. 0001-backport-Do-not-put-the-subscription-manager-password-onto-th.patch
          51 kB
        4. 0001-Do-not-put-the-subscription-manager-password-onto-th.patch
          55 kB
        5. 0002-backport-Fix-the-expect-script.patch
          3 kB
        6. 0002-fix-Flaky-tests-and-improve-existing-tests.patch
          5 kB
        7. 0002-Fix-the-expect-script-for-sending-rhsm-password.patch
          3 kB
        8. 0003-backport-Fix-for-pexpect.wait-on-RHEL7.patch
          1 kB
        9. 0003-Fix-for-pexpect.wait-on-RHEL7.patch
          1 kB
        10. 0004-Add-integration-test.patch
          3 kB
        11. 0004-backport-Add-integration-test.patch
          4 kB
        12. 0005-backport-Fix-Pexpect.spawn-truncating-lines-on-RHEL7.patch
          3 kB
        13. 0005-Fix-Pexpect.spawn-truncating-lines-on-RHEL7.patch
          3 kB
        14. 2022-04-08a-Do-not-put-the-subscription-manager-password-onto-th.patch
          60 kB
        15. 2022-04-08-backport-Do-not-put-the-subscription-manager-password-onto-th.patch
          57 kB
        16. convert2rhel-0.25-cve-fix.el7.noarch.rpm
          131 kB
        17. convert2rhel-0.25-cve-fix.el8.noarch.rpm
          134 kB
        18. convert2rhel-0.25-cvefix2.el6.noarch.rpm
          132 kB
        19. convert2rhel-0.25-cvefix2.el7.noarch.rpm
          131 kB
        20. convert2rhel-0.25-cvefix2.el8.noarch.rpm
          134 kB

              ddiblik@redhat.com Daniel Diblik
              tkuratom@redhat.com Toshio Kuratomi
              Daniel Diblik, Freya Gustavsson, Michal Bocek
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: