Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CB8C1107D1 for ; Wed, 3 Dec 2014 06:01:38 +0000 (UTC) Received: (qmail 588 invoked by uid 500); 3 Dec 2014 06:01:38 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 541 invoked by uid 500); 3 Dec 2014 06:01:38 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 528 invoked by uid 99); 3 Dec 2014 06:01:38 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Dec 2014 06:01:37 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of creategui@gmail.com designates 209.85.192.179 as permitted sender) Received: from [209.85.192.179] (HELO mail-pd0-f179.google.com) (209.85.192.179) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Dec 2014 06:01:12 +0000 Received: by mail-pd0-f179.google.com with SMTP id w10so14633777pde.24 for ; Tue, 02 Dec 2014 21:59:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=dGGEuu9/iTKrvKh9PWFyvM161W3hKX3sINixMB6w230=; b=jgfuLGhsrcPWMWBCK+9WckbSLZ5HNYtpFabOus4q20U3tMCEHb/CBLEgGeMHBaf4Pz 1F+QLTHtAXC1HoO6PGEvo6dp/Hadsa2kxLUC38EkMeSW9oKOwEygZgKvPIfVD5Bke4KK o79F0pQSh6tNl6xgGvvlsZ2gqftCmdvAqzn+pE/4kMFD1zoFxZL8nKJYLZVatauvV6XA bvYZ/XYQiEsCnIaV8mbBss/dS9S4iLg9rbuD5oLFS2rSJqT/XLFGIj4SjfwIhFSLO2uL FtrUgOyFVlldImRtmsftFKOK9sHThwBdeu9BBLCpA3vV31cWqCogimFATFHOYEL0xvH8 9WuQ== X-Received: by 10.66.235.200 with SMTP id uo8mr5517498pac.108.1417586381174; Tue, 02 Dec 2014 21:59:41 -0800 (PST) Received: from [192.168.13.57] (142-254-22-7.dsl.dynamic.sonic.net. [142.254.22.7]) by mx.google.com with ESMTPSA id ir2sm21846096pbc.57.2014.12.02.21.59.39 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 02 Dec 2014 21:59:39 -0800 (PST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: A secure way to reset VMs password From: =?windows-1252?Q?Carlos_Re=E1tegui?= In-Reply-To: <3EF8BAA8-E5E0-486E-B320-950CDEAB5FAD@stratosec.co> Date: Tue, 2 Dec 2014 21:59:37 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <2141478384.1845103.1417100080552.JavaMail.yahoo@jws10671.mail.bf1.yahoo.com> <7AC5249E-F7B5-4E83-8C24-4539758EA515@citrix.com> <1914494781.26900.1417203185233.JavaMail.zimbra@li.nux.ro> <1486029F-8BEB-4AC5-ADD6-42C0C350F3C8@stratosec.co> <,<7BF7226B-DB9F-4952-92E0-EA95C86D5D8B@gmail.com> <>> <3EF8BAA8-E5E0-486E-B320-950CDEAB5FAD@stratosec.co> To: dev@cloudstack.apache.org X-Mailer: Apple Mail (2.1993) X-Virus-Checked: Checked by ClamAV on apache.org I=92m all for providing choice, but not when one of them is not a = good/secure one. > On Dec 2, 2014, at 9:48 PM, John Kinsella wrote: >=20 > It's not our place to enforce how users authenticate to their VMs. We = provide flexible options, suggest best practices, and let them use the = tool as best suits their needs. >=20 > Excuse any typos - sent from mobile device >=20 >> On Dec 2, 2014, at 21:22, Carlos Reategui = wrote: >>=20 >> Why do passwords at all? Why not just use ssh keys like AWS does. = The functionality is already there just not in the ACS UI. Cloud-init = already supports it which is available in most distros and therefore = would not require CS specific scripts. At least not for linux. On = windows I'm not exactly sure how AWS does it but I think it is also some = kind of terminal services certificates so I think it could be made to = work too.=20 >>=20 >> -Carlos >>=20 >>=20 >>=20 >>> On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal = wrote: >>>=20 >>> You would need client-side certs as well since the password server = needs to be able to validate WHO is asking for the password. Currently = it is based on the client's IP address. >>> Also the current scheme is a single-use password =97 as soon as the = password is retrieved, it is not available to anybody else (of course a = MITM could sniff the first exchange). >>>=20 >>> You could eliminate a lot of MITM-style attacks by running the = password server locally on each hypervisor (hard for VMW), or by = attaching an ISO (containing the password) to the VM. >>>=20 >>> From: John Kinsella > >>> Reply-To: = "dev@cloudstack.apache.org" = > >>> Date: Tuesday, December 2, 2014 at 1:32 PM >>> To: "dev@cloudstack.apache.org" = > >>> Subject: Re: A secure way to reset VMs password >>>=20 >>> That password reset infrastructure has bigger issues than just SSL. = The server side works, but that=92s about all I can say for it. This = topic comes up every 6-12 months. :) >>>=20 >>> I thought there was a Jira entry but I can=92t find it=85personally = I=92d love to see the client and server sides both rewritten from = scratch. >>>=20 >>> John >>>=20 >>> On Nov 28, 2014, at 11:33 AM, Nux! = > wrote: >>> Jayapal, >>> Not necesarily, one could run stunnel or nginx as SSL proxy on some = other port (8443?), this way SSL and non-SSL connections will still work = and give you plenty of time to update your templates, if you so wish. >>> Am I missing any important bits here? >>> Lucian >>> -- >>> Sent from the Delta quadrant using Borg technology! >>> Nux! >>> www.nux.ro >>> ----- Original Message ----- >>> From: "Jayapal Reddy Uradi" = > >>> To: ">" = > >>> Cc: "Alireza Eskandari" = > >>> Sent: Friday, 28 November, 2014 09:34:02 >>> Subject: Re: A secure way to reset VMs password >>> Another point to note is all the vms in production has to update >>> with the new cloud-set-guest-password scripts because of the new = password reset >>> method. >>> Thanks, >>> Jayapal >>> On 28-Nov-2014, at 2:28 PM, Erik Weber = > >>> wrote: >>> On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari < >>> = astro.alireza@yahoo.com.invalid> = wrote: >>> HiI viewed the bash script that resets Linux password ( >>> = http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in= )It >>> seems that it doesn't use a secure way for transferring password = string to >>> instance.Instances on a shared network can sniff password requests = and >>> export requested password of other instances.I suggest to use SSL = (https) >>> instead of plan text.Regards >>> I like the idea, but there's a couple of obstacles to overcome, = namely >>> which SSL certificates to use. >>> - certificates need a subject name, ie. IP or hostname for web = pages, you >>> could solve this by making the mgmt server a CA and have each VR get = a >>> signed certificate by it, but it's complicated >>> - if the community bundle a pre generated certificate it is commonly = known >>> and not to be trusted, also not sure how to handle subject name >>> - assuming everyone to supply a valid certificate is quite = complicated (CA >>> must be on VR etc), and makes it considerably harder to get a = working setup >>> - using self signed causes issues with validation >>> Don't get me wrong, I love the idea, but it's not just to flip a = switch and >>> have (proper) SSL in place. >>> -- >>> Erik >>>=20 >>>=20