cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <...@li.nux.ro>
Subject Re: A secure way to reset VMs password
Date Fri, 28 Nov 2014 19:31:14 GMT
Andrija,

Don't think like that if you run a public offering. Convenience will always win, the customer
will not change the password. :)

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Andrija Panic" <andrija.panic@gmail.com>
> To: dev@cloudstack.apache.org
> Cc: "Alireza Eskandari" <astro.alireza@yahoo.com>
> Sent: Friday, 28 November, 2014 12:05:53
> Subject: Re: A secure way to reset VMs password

> For me personaly, this Cloudstack feature is used only during "damn I
> forgot my password" and during deploying new VM from template.
> 
> After I get access to VM - the password should be really changed anyway.
> I agree it's unsecure, but again you are supposed to change it - and not
> hope that the passwrod generated by third party tool (not yourself) is safe
> or not stored anywhere else...
> 
> 
> On 28 November 2014 at 10:34, Jayapal Reddy Uradi <
> jayapalreddy.uradi@citrix.com> wrote:
> 
>>
>> Another point to note is all the vms in production has to update
>> with the new cloud-set-guest-password scripts because of the new password
>> reset method.
>>
>> Thanks,
>> Jayapal
>>
>>
>>
>> On 28-Nov-2014, at 2:28 PM, Erik Weber <terbolous@gmail.com>
>>  wrote:
>>
>> > On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
>> > astro.alireza@yahoo.com.invalid> wrote:
>> >
>> >> HiI viewed the bash script that resets Linux password (
>> >>
>> http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
>> >> seems that it doesn't use a secure way for transferring password string
>> to
>> >> instance.Instances on a shared network can sniff password requests and
>> >> export requested password of other instances.I suggest to use SSL
>> (https)
>> >> instead of plan text.Regards
>> >>
>> >>
>> > I like the idea, but there's a couple of obstacles to overcome, namely
>> > which SSL certificates to use.
>> > - certificates need a subject name, ie. IP or hostname for web pages, you
>> > could solve this by making the mgmt server a CA and have each VR get a
>> > signed certificate by it, but it's complicated
>> > - if the community bundle a pre generated certificate it is commonly
>> known
>> > and not to be trusted, also not sure how to handle subject name
>> > - assuming everyone to supply a valid certificate is quite complicated
>> (CA
>> > must be on VR etc), and makes it considerably harder to get a working
>> setup
>> > - using self signed causes issues with validation
>> >
>> >
>> > Don't get me wrong, I love the idea, but it's not just to flip a switch
>> and
>> > have (proper) SSL in place.
>> >
>> > --
>> > Erik
>>
>>
> 
> 
> --
> 
> Andrija Panić

Mime
View raw message