All;
I am working with candlepin, at least as it is integrated with Katello/Satellite. I am responsible for securing the configuration and one of the controls is that passwords are not stored in cleartext. It appears that the auto-generated database password in candlepin.conf is in cleartext. Is there any mechanism available to obfuscate this password?
-LJK
On 02/10/2016 09:31 AM, Lesley Kimmel wrote:
All;
I am working with candlepin, at least as it is integrated with Katello/Satellite. I am responsible for securing the configuration and one of the controls is that passwords are not stored in cleartext. It appears that the auto-generated database password in candlepin.conf is in cleartext. Is there any mechanism available to obfuscate this password?
-LJK
Hi Lesley,
There is, in fact, a mechanism to obscure passwords.
The password itself should start with the string "$1$" and should be encrypted into base64 encoded AES-CBC. Unfortunately, Candlepin needed to remain compatible with Katello's utility scripts and the Katello utility scripts perform some very low-level cryptographic operations that are difficult to replicate purely on the command line. Therefore, the easiest way to generate the encrypted password is to use the katello-passwd utility that ships with Katello.
The passphrase for the encrypted value is stored in a file and then in candlepin.conf you would set the property candlepin.passphrase.path to point to that file.
The actual class responsible is https://github.com/candlepin/candlepin/blob/master/common/src/main/java/org/...
And you can see a test at https://github.com/candlepin/candlepin/blob/master/common/src/test/java/org/... ---------------------- Regards, Alex
candlepin@lists.stg.fedorahosted.org