cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Reategui <car...@reategui.com>
Subject Re: [DISCUSS] Changing the way password reset works, or allowing the cloud-init way
Date Tue, 26 Aug 2014 22:33:24 GMT
On Tue, Aug 26, 2014 at 3:04 PM, Marcus <shadowsor@gmail.com> wrote:

> I'm wondering how you keep the root password secure. Right now, it works
> similarly to userdata and metadata, in that the instance queries its router
> as it boots, but then the password is wiped once queried. If this didn't
> happen, non-root users could query for the root password all day. Do you
> suggest this be special userdata that is handled like this after first
> access? Or is there another way this is normally handled?
>

For that reason I prefer to set the meta-data/public-keys and not allow
password authentication.  Cloud-init supports this.  It would be nice if
the UI had a means to manage keys and an option to set the public-key for
an instance.


>
> Is the push for cloud-init just that it is easier to install than
> cloud-set-guest-password?
>
>
>
> On Tue, Aug 26, 2014 at 4:00 PM, Erik Weber <terbolous@gmail.com> wrote:
>
> > On Tue, Aug 26, 2014 at 11:44 PM, Nux! <nux@li.nux.ro> wrote:
> >
> > > Hi Erik and thanks for your effort. Using user data is a nice idea.
> > > Let's see what more experienced programmers have to say on this.
> > >
> > >
> > Sure thing
> >
> > One thing that I noticed; though it might have been OK in your particular
> > > case, "rm -rf /var/lib/cloud/" is a bad idea as it can include various
> > > useful scripts along that path. As you noticed I copy the
> > > cloudstack-set-password script in /var/lib/cloud/scripts/per-boot, so
> > > that's one example. :-)
> > >
> >
> >
> > Guess I should note that this was on a test vm, to force refreshing the
> > user-data. It can probably be done with in a less harmful way.
> >
> > DO NOT DO THIS ON ANYTHING IN PRODUCTION :-)
> >
> > --
> > Erik
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message