INQUIRY Better way to hide password details in .repo

Latest response

Hi esteemed colleagues,

I am sure many had the same problem before:

Encrypt the basic auth password in a yum .repo file (via hash or some keystore, or something similar)

My research could not find the answer if yum package manager can support hashed passwords in .repo config files for repositories.

So far, I see following options being used:

a) Provide username and password directly in /etc/yum.repos.d/myrepo.repo:

baseurl=https://myuser:mypasswd@myserv/mypath

or

b) Create file with just the password string in /etc/yum/vars/mypass, and then set /etc/yum.repos.d/myrepo.repo:

baseurl=https://myuser:"$mypass"@myserv/mypath

Anybody has better ideas? Having password saved in plain-text is still very "unconformable".

I also wonder if Red Hat is thinking about making this more robust and secure in RHEL 8 (I did not see it in DNF documentation)?

Regards,

Dusan Baljevic (amateur radio VK2COT)

Responses

Hi,

Fort those that want more information.

I was able to set up JFrog Artifactory Enterprise Universal Repository Manager with RPM repository and enable REST API for username. We use this RPM repository for third-party applications.

Then, on RHEL servers, this worked:

username=myuser
password=myAPIkey
baseurl=https://myserv/mypath

By utilising Artifactory API key, I was able to eliminate need of using real password.

At least with this special type of RPM repository, RHEL can support API keys instead of real passwords in .repo configs.

Regards,

Dusan Baljevic (amateur radio VK2COT)