Uploaded image for project: 'RHEL Conversions'
  1. RHEL Conversions
  2. RHELC-432

Pass the rhsm password securely to subscription-manager

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Critical Critical
    • 0.25-4
    • None
    • convert2rhel
    • None
    • 8

      When convert2rhel registers a system with subscription-manager, it shells out to the subscription-manager program.  If the user gave convert2rhel a password to authenticate with subscription-manager, this ends up being passed on the subscription-manager command line.  Passing secrets on the command line is insecure because unprivileged users can read the process list which includes the command and all arguments to the command.

      In the short term we can handle this problem by invoking subscription-manager via pexpect.spawn() without giving it the password.  In this case, subscription-manager will interactively prompt for the password and we can then use pexpect to send the password.

      Longer term, subscription-manager is going to add the ability to pass the password via a file and we can then use that to pass in the password:

      https://issues.redhat.com/browse/ENT-4724

      Embargo lift date: TBD

        1. 0000-backport-Do-not-put-the-subscription-manager-password-onto-th.patch
          56 kB
          Daniel Diblik
        2. 0000-Do-not-put-the-subscription-manager-password-onto-th.patch
          59 kB
          Daniel Diblik
        3. 0001-backport-Do-not-put-the-subscription-manager-password-onto-th.patch
          51 kB
          Toshio Kuratomi
        4. 0001-Do-not-put-the-subscription-manager-password-onto-th.patch
          55 kB
          Toshio Kuratomi
        5. 0002-backport-Fix-the-expect-script.patch
          3 kB
          Toshio Kuratomi
        6. 0002-fix-Flaky-tests-and-improve-existing-tests.patch
          5 kB
          Freya Gustavsson
        7. 0002-Fix-the-expect-script-for-sending-rhsm-password.patch
          3 kB
          Toshio Kuratomi
        8. 0003-backport-Fix-for-pexpect.wait-on-RHEL7.patch
          1 kB
          Toshio Kuratomi
        9. 0003-Fix-for-pexpect.wait-on-RHEL7.patch
          1 kB
          Toshio Kuratomi
        10. 0004-Add-integration-test.patch
          3 kB
          Daniel Diblik
        11. 0004-backport-Add-integration-test.patch
          4 kB
          Daniel Diblik
        12. 0005-backport-Fix-Pexpect.spawn-truncating-lines-on-RHEL7.patch
          3 kB
          Toshio Kuratomi
        13. 0005-Fix-Pexpect.spawn-truncating-lines-on-RHEL7.patch
          3 kB
          Toshio Kuratomi
        14. 2022-04-08a-Do-not-put-the-subscription-manager-password-onto-th.patch
          60 kB
          Toshio Kuratomi
        15. 2022-04-08-backport-Do-not-put-the-subscription-manager-password-onto-th.patch
          57 kB
          Toshio Kuratomi
        16. convert2rhel-0.25-cve-fix.el7.noarch.rpm
          131 kB
          Michal Bocek
        17. convert2rhel-0.25-cve-fix.el8.noarch.rpm
          134 kB
          Michal Bocek
        18. convert2rhel-0.25-cvefix2.el6.noarch.rpm
          132 kB
          Toshio Kuratomi
        19. convert2rhel-0.25-cvefix2.el7.noarch.rpm
          131 kB
          Toshio Kuratomi
        20. convert2rhel-0.25-cvefix2.el8.noarch.rpm
          134 kB
          Toshio Kuratomi

              ddiblik@redhat.com Daniel Diblik
              tkuratom@redhat.com Toshio Kuratomi
              Daniel Diblik, Freya Gustavsson, Michal Bocek
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: