rpms / diskimage-builder

Clone
Source Code
GIT

Files

  1.   f7e4e0364d0002b10538b79623dfe45b5cdabb96
  2.   0016-Deprecates-username-and-password-from-boot-time-regi.patch
Blob Blame History Raw 
From 59f13915cc7beb5df6cf9028d03e3c708d85ced5 Mon Sep 17 00:00:00 2001
From: Ryan Brady <rbrady@redhat.com>
Date: Tue, 9 Dec 2014 10:46:00 -0500
Subject: [PATCH] Deprecates username and password from boot time registration

The username and password combination is considered insecure to store in
the metadata passed to the stack as they can easily be obtained and
possibly used in an unathorized manner by logging into one of the
registration systems. The use of an activation key is more desirable
as it can only be used in conjunction with subscription-manager to
register a RHEL system.

This patch deprecates the username and password support from the script
that registers RHEL with either Satellite or RH Customer Portal during
boot-time.  This patch also adds a warning if the username and password
combination is used in the stack metadata. The documentation and examples
have also been updated to warn operators of the deprecation of username
and password.

This patch does not affect the username and password support for
registration activities while building images with diskimage-builder.

Change-Id: I05b7a18e910d31ad2273042409f8657ad9dee36a
---
 elements/rhel-common/README.md                      | 21 +++++++++++++++++----
 .../pre-configure.d/06-rhel-registration            |  4 +++-
 .../rhel-common/pre-install.d/00-rhel-registration  |  2 +-
 3 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/elements/rhel-common/README.md b/elements/rhel-common/README.md
index d57d165..f2eb64c 100644
--- a/elements/rhel-common/README.md
+++ b/elements/rhel-common/README.md
@@ -9,6 +9,18 @@ Portal or Satellite to enable software installation from official
 repositories. After the end of the image creation process, the image will
 unregister itself so an entitlement will not be decremented from the account.
 
+
+SECURITY WARNING:
+-----------------
+While the image building workflow will allow you to register with a username
+and password combination, that feature is deprecated in the boot process via
+Heat as it will expose your username and password in clear text for anyone
+that has rights to run heat stack-show.  A compromised username and password
+can be used to login to the Red Hat Customer Portal or an instance of
+Satellite.  An activation key can only be used for registration purposes using
+the subscription-manager command line tool and is considered a lower security
+risk.
+
 IMPORTANT NOTE:
 ----------------
 The 00-rhsm script is specific to RHEL6.  If you use the REG_ variables to
@@ -158,6 +170,7 @@ Heat metadata can be used to configure the rhel-common element.
         org:
             # Gives the organization to which to join the system.
         password:
+            # DEPRECATED
             # Gives the password for the user account.
         release:
             # Sets the operating system minor release to use for subscriptions
@@ -180,6 +193,7 @@ Heat metadata can be used to configure the rhel-common element.
             # Sets the service level to use for subscriptions on that machine.
             # This is only used with the auto_attach option.
         user:
+            # DEPRECATED
             # Gives the content server user account name.
         type:
             # Sets what type of consumer is being registered. The default is
@@ -202,8 +216,7 @@ metadata:
             "satellite_url": "http://my-sat06.server.org",
             "org": "tripleo",
             "environment": "Library",
-            "user":"tripleo",
-            "password":"tripleo",
+            "activation_key": "my-key-SQQkh4",
             "method":"satellite"
             "repos": "rhel-ha-for-rhel-7-server-rpms"
         }
@@ -216,8 +229,8 @@ use the following metadata:
         "rh_registration":{
             "repos":"rhel-7-server-optional-rpms,rhel-7-server-extras-rpms",
             "auto_attach":true,
-            "user":"tripleo",
-            "password":"tripleo",
+            "activation_key": "my-key-SQQkh4",
+            "org": "5643002",
             "method":"portal"
         }
     }
diff --git a/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration b/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration
index 53ef58a..12a92b0 100755
--- a/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration
+++ b/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration
@@ -71,6 +71,8 @@ if [ -n "${REG_ACTIVATION_KEY:-}" ]; then
         echo "WARNING: REG_ACTIVATION_KEY set without REG_ORG."
     fi
 else
+    echo "WARNING: Support for registering with a username and password is deprecated."
+    echo "Please use activation keys instead.  See the README for more information."
     if [ -n "${REG_PASSWORD:-}" ]; then
         opts="$opts --password $REG_PASSWORD"
     fi
@@ -85,7 +87,7 @@ if [ -n "${REG_MACHINE_NAME:-}" ]; then
 fi
 
 if [ -n "${REG_ORG:-}" ]; then
-    opts="$opts --org $REG_ORG"
+    opts="$opts --org=$REG_ORG"
 fi
 
 if [ -n "${REG_REPOS:-}" ]; then
diff --git a/elements/rhel-common/pre-install.d/00-rhel-registration b/elements/rhel-common/pre-install.d/00-rhel-registration
index fe19593..02b6fca 100755
--- a/elements/rhel-common/pre-install.d/00-rhel-registration
+++ b/elements/rhel-common/pre-install.d/00-rhel-registration
@@ -68,7 +68,7 @@ if [ -n "${REG_MACHINE_NAME:-}" ]; then
 fi
 
 if [ -n "${REG_ORG:-}" ]; then
-    opts="$opts --org $REG_ORG"
+    opts="$opts --org=$REG_ORG"
 fi
 
 if [ -n "${REG_REPOS:-}" ]; then
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.