Allow encrypted password in bootstrap.py script for Red Hat Satellite 6

Resolution

• There is no option available to use bootstrap.py with an encrypted password but you can check the below options :

  • use passwords (and a minimally scoped user which only has permissions to register systems) OR
  • use activation keys (and register clients for content only)

• A feature request is closed as "CLOSED WONTFIX" with the below explanation:

  • The bootstrap script varies from utilities such as virt-who (and SSH keys) in the following manner:

    1. Utilities such as virt-who are daemons which require access to authentication credentials at startup, and as such, encrypting these credentials 'at rest' is wise and a sound practice.The bootstrap script has no requirement to store credentials on disk whatsoever as it is used only once (to register a system interactively).

    2. SSH Keys, despite their length, are effectively authentication credentials which are stored on disk and MUST be protected via permissions/ACLs.

    3. The Satellite 6 API requires basic (username/password) authentication. And for many of bootstrap.py's use-cases, it is required to authenticate to authenticate to the API. At no time is the password transmitted in cleartext over an unencrypted HTTP transport.

    4. Virt-who decrypts the passwords at startup, stores the cleartext passwords in memory and uses them to authenticate to the various APIs it needs to. bootstrap.py doesn't differ in that manner. The script just needs to prompt the user for the username/password as (again) it isn't stored on disk.