[Spacewalk-list] API using hashed SATELLITE_PASSWORD
Thomas Foster
thomas.foster80 at gmail.com
Thu May 8 22:15:07 UTC 2014
You are also using http instead of https..so the passwords are sent in
clear text.
On Thu, May 8, 2014 at 6:08 PM, Grant Gainey <ggainey at redhat.com> wrote:
> ----- Original Message -----
> > We would like to use a hashed password with the API. Example below:
>
> Your example seems to just use the API with a password like usual?
>
> >
> > # !/usr/bin/python import xmlrpclib
> >
> > SATELLITE_URL = " http://satellite.example.com/rpc/api "
> SATELLITE_LOGIN =
> > "username" SATELLITE_PASSWORD = "password" client = xmlrpclib.Server
> > (SATELLITE_URL , verbose = 0 ) key = client.auth.login (SATELLITE_LOGIN ,
> > SATELLITE_PASSWORD ) list = client.user.list_users (key) for user in
> list :
> > print user.get ( 'login' ) client.auth.logout (key)
> >
> >
> > Will this cause any problems in other areas? Will it work at all?
>
> What are you trying to accomplish, really?
>
> If it's "tell customers that their password is never known by the SW
> server" - well, let's see. You could set up their accounts by asking them
> for a password, salt+hash that string, binhex it, and use *that* as their
> SW password. Then, to use the API, give them a script/application that
> asked them for their 'real' password and replicated the process before
> talking to SW. Basically, the salthash'd string *is* their pwd, from SW's
> POV, but SW never knows the string the user remembers.
>
> On the other hand, if you're trying to protect your SW admin's pwd from
> prying eyes - well, sooner or later, *something* has to call login. And
> whatever you call the Thing that login accepts, it needs to be secure, or a
> nosey user of your script is still going to end up with the ability to
> trash your SW instance :)
>
> But I think maybe I'm not understanding what you're trying to do. Can you
> give us more context?
>
> G
>
> >
> > _______________________________________________
> > Spacewalk-list mailing list
> > Spacewalk-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20140508/c21e5a5c/attachment.htm>
More information about the Spacewalk-list
mailing list