Uploaded image for project: 'RHEL Conversions'
  1. RHEL Conversions
  2. RHELC-432

Pass the rhsm password securely to subscription-manager

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Critical Critical
    • 0.25-4
    • None
    • convert2rhel
    • None
    • 8
    • rhel-conversions

      When convert2rhel registers a system with subscription-manager, it shells out to the subscription-manager program.  If the user gave convert2rhel a password to authenticate with subscription-manager, this ends up being passed on the subscription-manager command line.  Passing secrets on the command line is insecure because unprivileged users can read the process list which includes the command and all arguments to the command.

      In the short term we can handle this problem by invoking subscription-manager via pexpect.spawn() without giving it the password.  In this case, subscription-manager will interactively prompt for the password and we can then use pexpect to send the password.

      Longer term, subscription-manager is going to add the ability to pass the password via a file and we can then use that to pass in the password:

      https://issues.redhat.com/browse/ENT-4724

      Embargo lift date: TBD

        1. 0002-fix-Flaky-tests-and-improve-existing-tests.patch
          5 kB
          Freya Gustavsson
        2. convert2rhel-0.25-cve-fix.el7.noarch.rpm
          131 kB
          Michal Bocek
        3. convert2rhel-0.25-cve-fix.el8.noarch.rpm
          134 kB
          Michal Bocek
        4. 0001-backport-Do-not-put-the-subscription-manager-password-onto-th.patch
          51 kB
          Toshio Kuratomi
        5. 0002-backport-Fix-the-expect-script.patch
          3 kB
          Toshio Kuratomi
        6. 0003-backport-Fix-for-pexpect.wait-on-RHEL7.patch
          1 kB
          Toshio Kuratomi
        7. convert2rhel-0.25-cvefix2.el7.noarch.rpm
          131 kB
          Toshio Kuratomi
        8. convert2rhel-0.25-cvefix2.el8.noarch.rpm
          134 kB
          Toshio Kuratomi
        9. convert2rhel-0.25-cvefix2.el6.noarch.rpm
          132 kB
          Toshio Kuratomi
        10. 0001-Do-not-put-the-subscription-manager-password-onto-th.patch
          55 kB
          Toshio Kuratomi
        11. 0002-Fix-the-expect-script-for-sending-rhsm-password.patch
          3 kB
          Toshio Kuratomi
        12. 0003-Fix-for-pexpect.wait-on-RHEL7.patch
          1 kB
          Toshio Kuratomi
        13. 0004-backport-Add-integration-test.patch
          4 kB
          Daniel Diblik
        14. 0004-Add-integration-test.patch
          3 kB
          Daniel Diblik
        15. 0000-backport-Do-not-put-the-subscription-manager-password-onto-th.patch
          56 kB
          Daniel Diblik
        16. 0000-Do-not-put-the-subscription-manager-password-onto-th.patch
          59 kB
          Daniel Diblik
        17. 0005-Fix-Pexpect.spawn-truncating-lines-on-RHEL7.patch
          3 kB
          Toshio Kuratomi
        18. 2022-04-08a-Do-not-put-the-subscription-manager-password-onto-th.patch
          60 kB
          Toshio Kuratomi
        19. 0005-backport-Fix-Pexpect.spawn-truncating-lines-on-RHEL7.patch
          3 kB
          Toshio Kuratomi
        20. 2022-04-08-backport-Do-not-put-the-subscription-manager-password-onto-th.patch
          57 kB
          Toshio Kuratomi

              ddiblik@redhat.com Daniel Diblik
              tkuratom@redhat.com Toshio Kuratomi
              Daniel Diblik, Freya Gustavsson, Michal Bocek
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: