Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 50FF210B82 for ; Wed, 3 Dec 2014 15:51:54 +0000 (UTC) Received: (qmail 81597 invoked by uid 500); 3 Dec 2014 15:51:53 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 81553 invoked by uid 500); 3 Dec 2014 15:51:53 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 81539 invoked by uid 99); 3 Dec 2014 15:51:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Dec 2014 15:51:52 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of nux@li.nux.ro designates 31.193.175.196 as permitted sender) Received: from [31.193.175.196] (HELO mailserver.lastdot.org) (31.193.175.196) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Dec 2014 15:51:49 +0000 Received: from localhost (localhost [IPv6:::1]) by mailserver.lastdot.org (Postfix) with ESMTP id A5B162C6543 for ; Wed, 3 Dec 2014 15:51:12 +0000 (GMT) Received: from mailserver.lastdot.org ([IPv6:::1]) by localhost (mailserver.lastdot.org [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id 3gFoeSg5owMh for ; Wed, 3 Dec 2014 15:51:10 +0000 (GMT) Received: from localhost (localhost [IPv6:::1]) by mailserver.lastdot.org (Postfix) with ESMTP id 25C232C6544 for ; Wed, 3 Dec 2014 15:51:10 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.9.2 mailserver.lastdot.org 25C232C6544 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=li.nux.ro; s=C605E3A6-F3C6-11E3-AEB0-DFF9218DCAC4; t=1417621870; bh=d5Kx+ilpvqoaaTWrf6V8bYzgXGGeUTacEFWTOsmKzKM=; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type: Content-Transfer-Encoding; b=jH7+hP/VaU4MWv5JujbasSPkSvxhIyLmN+2x+EOjelDKbtV9tcbIVdNdljmTE+Ufl vN7nU6IJ3J71fe2Pt5QZ67QT1tavJoL61V0J3+nnzo7exotuWXHHoHyaT22qPAGAgP eLW/B51DLR+4H3tNUREDYu/vwTLJIyXsuTe1nLjk= X-Virus-Scanned: amavisd-new at mailserver.lastdot.org Received: from mailserver.lastdot.org ([IPv6:::1]) by localhost (mailserver.lastdot.org [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id VSutegCmXQoZ for ; Wed, 3 Dec 2014 15:51:10 +0000 (GMT) Received: from mailserver.lastdot.org (mailserver.lastdot.org [31.193.175.196]) by mailserver.lastdot.org (Postfix) with ESMTP id E8D8D2C6543 for ; Wed, 3 Dec 2014 15:51:09 +0000 (GMT) Date: Wed, 3 Dec 2014 15:51:09 +0000 (GMT) From: Nux! To: dev@cloudstack.apache.org Message-ID: <472994166.32399.1417621869556.JavaMail.zimbra@li.nux.ro> In-Reply-To: References: Subject: Re: A secure way to reset VMs password MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailer: Zimbra 8.5.1_GA_3056 (ZimbraWebClient - FF31 (Linux)/8.5.1_GA_3056) Thread-Topic: A secure way to reset VMs password Thread-Index: 2Mxk9Oy9oEe9S5F8U9FH2rrDry/EAA== X-Virus-Checked: Checked by ClamAV on apache.org An open source alternative is in the works by the guys at Cloudbase.it in t= heir cloudbase-init https://review.openstack.org/#/c/127593/ -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Alireza Eskandari" > To: dev@cloudstack.apache.org > Sent: Wednesday, 3 December, 2014 04:44:33 > Subject: Re: A secure way to reset VMs password > A stupid question! > I can't find the source of windows version of password manager! Where is = it? >=20 > Sent from Samsung Mobile. >=20 >
-------- Original message --------
From: Chiradeep Vittal >
Date:03/12/2014 02:05 (GMT+03:= 30) >
To: dev@cloudstack.apache.org
Subject: Re: A secure= way > to reset VMs password
>
You would need client-side certs as well since the password server = needs > to be able to validate WHO is asking for the password. Currently it is ba= sed on > the client's IP address. > Also the current scheme is a single-use password =E2=80=94 as soon as the= password is > retrieved, it is not available to anybody else (of course a MITM could sn= iff > the first exchange). >=20 > You could eliminate a lot of MITM-style attacks by running the password s= erver > locally on each hypervisor (hard for VMW), or by attaching an ISO (contai= ning > the password) to the VM. >=20 > From: John Kinsella > > Reply-To: "dev@cloudstack.apache.org" > > > Date: Tuesday, December 2, 2014 at 1:32 PM > To: "dev@cloudstack.apache.org" > > > Subject: Re: A secure way to reset VMs password >=20 > That password reset infrastructure has bigger issues than just SSL. The s= erver > side works, but that=E2=80=99s about all I can say for it. This topic com= es up every > 6-12 months. :) >=20 > I thought there was a Jira entry but I can=E2=80=99t find it=E2=80=A6pers= onally I=E2=80=99d love to see > the client and server sides both rewritten from scratch. >=20 > John >=20 > On Nov 28, 2014, at 11:33 AM, Nux! > = wrote: > Jayapal, > Not necesarily, one could run stunnel or nginx as SSL proxy on some other= port > (8443?), this way SSL and non-SSL connections will still work and give yo= u > plenty of time to update your templates, if you so wish. > Am I missing any important bits here? > Lucian > -- > Sent from the Delta quadrant using Borg technology! > Nux! > www.nux.ro > ----- Original Message ----- > From: "Jayapal Reddy Uradi" > > > To: ">" > > > Cc: "Alireza Eskandari" > > > Sent: Friday, 28 November, 2014 09:34:02 > Subject: Re: A secure way to reset VMs password > Another point to note is all the vms in production has to update > with the new cloud-set-guest-password scripts because of the new password= reset > method. > Thanks, > Jayapal > On 28-Nov-2014, at 2:28 PM, Erik Weber > > > wrote: > On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari < > astro.alireza@yahoo.com.invalid> = wrote: > HiI viewed the bash script that resets Linux password ( > http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.i= n)It > seems that it doesn't use a secure way for transferring password string t= o > instance.Instances on a shared network can sniff password requests and > export requested password of other instances.I suggest to use SSL (https) > instead of plan text.Regards > I like the idea, but there's a couple of obstacles to overcome, namely > which SSL certificates to use. > - certificates need a subject name, ie. IP or hostname for web pages, you > could solve this by making the mgmt server a CA and have each VR get a > signed certificate by it, but it's complicated > - if the community bundle a pre generated certificate it is commonly know= n > and not to be trusted, also not sure how to handle subject name > - assuming everyone to supply a valid certificate is quite complicated (C= A > must be on VR etc), and makes it considerably harder to get a working set= up > - using self signed causes issues with validation > Don't get me wrong, I love the idea, but it's not just to flip a switch a= nd > have (proper) SSL in place. > -- > Erik