2

The Red Hat subscription-manager is a tool to register, attach and remove subscriptions from the command line. If I understand correctly, this tool connects to the customer portal to retrieve certificates. These certificates are then used, among other things, to download yum packages from the Red Hat repo.

Sources:

There are several things that I don't understand:

  1. Why can't a user copy a certificate from one Red Hat machine to another and use it there? I assume the certificate includes machine-specific values (according to the docs, they are called "facts"), but then...
  2. How are the certificates loaded and checked by the other processes? For instance, I guess that yum must be using these certificates. But then the yum CLI tool must have been patched, right? Is the source code of these changes available?
  3. Is the source code of the subscription-manager tool available? That would clarify many things.
Machavity
  • 30,841
  • 27
  • 92
  • 100
Régis B.
  • 10,092
  • 6
  • 54
  • 90

2 Answers2

3

1. Let's say you copied the certificate, but you will still need to register the server from which you copied the certificates. Each time you register the server, a separate secret key will be created for the machine. You cannot register your server with the subscription-manager by copying the certificate, since there cannot be the same secret keys for individual machines. After registering, you can access the generated keys in /etc/pki/entitlement directory.
You can examine the information about these certificates with the help of rct oropenssl. Samples available from https://access.redhat.com/solutions/189533

To better understand the difference, you can register two different machines with the same user and compare the certificates.

2. About the work of the yum command,
You can see the directory of the certificates used by this command by opening any file in /etc/yum.repos.d/. When you look at one of these files, you will see a line like the one below. sslclientkey=/etc/pki/entitlement/1234567890123456789-key.pem This file shows the private key of your machine

3. You can find information about its content at
https://github.com/candlepin/subscription-manager/tree/master/src/subscription_manager/scripts

Edit:

Not only certificates are used while being registered in the system. There are also ntp server(replay attack prevention), kerberos kdc(includes timestamp etc. ), user authentication etc. If you check the certificate information using openssl or other options you can get these informations. You are expecting the new machine subscribed when just copy necessary files from subscribed machine to the new machine right? Simply it will not because of KDC which is IdM uses. You should check this RedHat IdM Guide to better understanding.

shnoq
  • 41
  • 5
  • I swear I'm doing my best but I still do not understand. If I copy the certificates, secret keys and yum repos from one machine to another, what prevents me from using the same license? You say that I "cannot register your server with the subscription-manager by copying the certificate, since there cannot be the same secret keys for individual machines." What is actually preventing individual machines from using the same secret key? – Régis B. Mar 19 '20 at 09:11
1

Subscription Manager performs several key operations:

    * It registers systems to the Red Hat subscription management service and adds the  sys‐
    tem  to  the inventory. Once a system is registered, it can receive updates based on its
    subscriptions to any kind of software products.

    * It lists both available and used subscriptions.

    * It allows administrators to both attach specific subscriptions to a system and  remove
    those subscriptions.

To Answer Above Questions

1. Why Can't Certificate of one system can't be used on other systems:

Subscription management service issue a new identity certificate for the system, using an existing UUID in the original identity certificate. If this is used alone, then the identity command also uses the original identity certificate to bind to the subscription management service, using certificate-based authentication.

2. How yum verify these certificates

yum reads from repository metadata: Yum updates certificate-based repositories to https://cdn.redhat.com/ which inturn provides repomd.xml eg: https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/cf-tools/1.0/os/repodata/repomd.xml , which contains repository metadata.

3. About Source, I am not sure if we do have access to them.

Avinash Yadav
  • 781
  • 7
  • 13
  • Thanks for your answer! Can you give more details on what is this "identity command"? – Régis B. Sep 25 '19 at 11:13
  • The identity command handles the UUID of a system, which identifies the system to the subscription management service after registration. This command can simply return the UUID or it can be used to restore the registration of a previously-registered system to the subscription management service. Eg: `[root@rhel8 ~]# subscription-manager identity --force` – Avinash Yadav Sep 25 '19 at 11:31
  • I appreciate your explanations; however, if I simply copy the certificate from one machine to another, then I'll be able to run `yum`, right? This would allow me to "hack" the red hat license. Is there something that prevents me from doing that? I see that there exists a subscription manager plugin for yum: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-yum_plugins Is that related? Is the code for this plugin open? – Régis B. Sep 25 '19 at 12:16
  • I am not an expert, however, as of my encounters, we can copy certificate if both the systems are registered with the same username and password, which concludes we can't bluff the subscription manager. As far as yum plugins are conserned they just provide extra functionality eg, fastmirror repo. – Avinash Yadav Sep 25 '19 at 16:19