From acfe464a3193caa07d23a8e6085f12b135247ffc Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Wed, 19 Apr 2023 21:14:34 +0200 Subject: [PATCH] [PR #6366/1aa94a5a backport][stable-6] redhat_subscription: document the security of the registration (#6368) redhat_subscription: document the security of the registration (#6366) (cherry picked from commit 1aa94a5a1d4756c74ce7394de70d77a92350caca) Co-authored-by: Pino Toscano --- plugins/modules/redhat_subscription.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/plugins/modules/redhat_subscription.py b/plugins/modules/redhat_subscription.py index adfa1ca21a..79b0d4b4c9 100644 --- a/plugins/modules/redhat_subscription.py +++ b/plugins/modules/redhat_subscription.py @@ -19,6 +19,16 @@ description: registering using D-Bus if possible. author: "Barnaby Court (@barnabycourt)" notes: + - | + The module tries to use the D-Bus C(rhsm) service (part of C(subscription-manager)) + to register, starting from community.general 6.5.0: this is done so credentials + (username, password, activation keys) can be passed to C(rhsm) in a secure way. + C(subscription-manager) itself gets credentials only as arguments of command line + parameters, which is I(not) secure, as they can be easily stolen by checking the + process listing on the system. Due to limitations of the D-Bus interface of C(rhsm), + the module will I(not) use D-Bus for registation when trying either to register + using I(token), or when specifying I(environment), or when the system is old + (typically RHEL 6 and older). - In order to register a system, subscription-manager requires either a username and password, or an activationkey and an Organization ID. - Since 2.5 values for I(server_hostname), I(server_insecure), I(rhsm_baseurl), I(server_proxy_hostname), I(server_proxy_port), I(server_proxy_user) and