cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrija Panic <andrija.pa...@gmail.com>
Subject Re: A secure way to reset VMs password
Date Fri, 28 Nov 2014 12:05:53 GMT
For me personaly, this Cloudstack feature is used only during "damn I
forgot my password" and during deploying new VM from template.

After I get access to VM - the password should be really changed anyway.
I agree it's unsecure, but again you are supposed to change it - and not
hope that the passwrod generated by third party tool (not yourself) is safe
or not stored anywhere else...


On 28 November 2014 at 10:34, Jayapal Reddy Uradi <
jayapalreddy.uradi@citrix.com> wrote:

>
> Another point to note is all the vms in production has to update
> with the new cloud-set-guest-password scripts because of the new password
> reset method.
>
> Thanks,
> Jayapal
>
>
>
> On 28-Nov-2014, at 2:28 PM, Erik Weber <terbolous@gmail.com>
>  wrote:
>
> > On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
> > astro.alireza@yahoo.com.invalid> wrote:
> >
> >> HiI viewed the bash script that resets Linux password (
> >>
> http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
> >> seems that it doesn't use a secure way for transferring password string
> to
> >> instance.Instances on a shared network can sniff password requests and
> >> export requested password of other instances.I suggest to use SSL
> (https)
> >> instead of plan text.Regards
> >>
> >>
> > I like the idea, but there's a couple of obstacles to overcome, namely
> > which SSL certificates to use.
> > - certificates need a subject name, ie. IP or hostname for web pages, you
> > could solve this by making the mgmt server a CA and have each VR get a
> > signed certificate by it, but it's complicated
> > - if the community bundle a pre generated certificate it is commonly
> known
> > and not to be trusted, also not sure how to handle subject name
> > - assuming everyone to supply a valid certificate is quite complicated
> (CA
> > must be on VR etc), and makes it considerably harder to get a working
> setup
> > - using self signed causes issues with validation
> >
> >
> > Don't get me wrong, I love the idea, but it's not just to flip a switch
> and
> > have (proper) SSL in place.
> >
> > --
> > Erik
>
>


-- 

Andrija Panić

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message