PCA: howto configure a Sun Online Account w/o
in [Solaris]
|
Prev: Live Upgrade issues
Next: SAMFS question
From: Sven Hilmer on 28 Nov 2009 09:03 hi all To download patches from Sun you use your Sun Online account either by --ask oder by using --user and --passwd at the command line. If you want to setup a PCA Proxy cache you can write the account data in the file /etc/pca-proxy.conf as two lines as 'user=...' and 'passwd=...' Is there a way to configure a Sun Online Account to be used by a PCA Proxy Cache without having to write your passwd in cleartext in an ASCII file ? Sven -- Sven-Olaf Hilmer, Solaris System Engineer Hilmer Informatik GmbH http://www.hilmer-informatik.ch
From: Tim Bradshaw on 29 Nov 2009 08:02 On 2009-11-28 14:03:46 +0000, Sven Hilmer <shilmer(a)invalid.invalid> said: > Is there a way to configure a Sun Online Account to be used by a PCA > Proxy Cache without having to write your passwd in cleartext in an ASCII > file ? I can't see one. PCA needs to know the plaintext so it can authenticate (the same way a human needs to know it). I don't think sunsolve offers any kind of authentication which does not involve you telling it a password. But I am not sure it matters: PCA needs to know *something* which allows it to authenticate to sunsolve, and that something is enough to let anything else authenticate if they can get hold of it. Recent PCA versions use https so it is not the case that the password goes over the wire in plain. --tim
From: Sven Hilmer on 29 Nov 2009 08:45 Tim Bradshaw wrote: > On 2009-11-28 14:03:46 +0000, Sven Hilmer <shilmer(a)invalid.invalid> said: > >> Is there a way to configure a Sun Online Account to be used by a PCA >> Proxy Cache without having to write your passwd in cleartext in an ASCII >> file ? > > I can't see one. I can. > PCA needs to know the plaintext so it can authenticate > (the same way a human needs to know it). It's not ecactly PCA that needs to know the password but it's 'wget'. > I don't think sunsolve offers > any kind of authentication which does not involve you telling it a > password. To find a way to fetch patches without authentication is not my goal. I'd like to configure user and passwd (pre)encrypted similar way smpatch does. What I could imagine is to use the '--header=STRING' argument of wget. e.g. # wget --header="Authorization: Basic dXNlcjpwYXNzd2Q=" ... The auth string could be obtained from the verbose output of pca when pca invokes wget for fetching patches. # pca -V -a -d You shouldn't configure a wgetrc file with this option as it would be used for each invocation of wget, when not used by PCA too. If you could configure this header for use by wget in the pca.conf file you have (or not) to distingish when it has to be applied to wget and when not. You don't need authentication to fetch the patchdiag.xref file. But you have to authenticate to fetch patches. Might be you can safely apply this header when fetching the patchdiag.xref file. I'd prefer a cleaner solution, applying an auth header to wget when one must be applied. Sven P.S. don't try to crack the example auth string, it is 'user:passwd' -- Sven-Olaf Hilmer, Solaris System Engineer Hilmer Informatik GmbH http://www.hilmer-informatik.ch
From: Tim Bradshaw on 29 Nov 2009 09:51 On 2009-11-29 13:45:58 +0000, Sven Hilmer <shilmer(a)invalid.invalid> said: > It's not ecactly PCA that needs to know the password but it's 'wget'. Yes, of course. > To find a way to fetch patches without authentication is not my goal. > I'd like to configure user and passwd (pre)encrypted similar way smpatch > does. I'm not sure what advantage you expect to gain from this. If you know the token (whether it is "pre encrypted" or not) that the tool presents to sunsolve to authenticate itself, then you can present that token as well, and do whatever the tool can do.
From: Martin Paul on 30 Nov 2009 04:34
Hi Sven, > Is there a way to configure a Sun Online Account to be used by a PCA > Proxy Cache without having to write your passwd in cleartext in an ASCII > file ? Actually, there is, in the recent development version of pca. When you do not set user/passwd in pca-proxy.conf, the proxy will ask the client for SOA data, which will then ask user/passwd from the user on the client. Is that what you want? Otherwise, I agree with Tim. It doesn't matter whether you store user/passwd in plain text or base64 encoded in some file, as this is just obfuscation, not encryption. There's one unsolved problem: Using "ps", you can see the encoded SOA data supplied to wget with the --header option. This has two reasons: pca has to use --header instead of --http-user/--http-passwd, because of a peculiarity of SunSolve - it's the only way to make authentication work with any version of wget. The other part of the problem is that wget doesn't have a secure way to supply the --header option (like via an environment variable). While using a wgetrc file seems to be an option, it isn't, as pca would have to (temporarily) modify an existing ~/.wgetrc file, which some users wouldn't like for sure. mp. -- SysAdmin | Institute of Scientific Computing, University of Vienna PCA | Analyze, download and install patches for Solaris | http://www.par.univie.ac.at/solaris/pca/ |