cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei Zhou (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-10113) password reset service on the VR, may reset passwords unintended
Date Thu, 26 Oct 2017 08:33:00 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-10113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16220158#comment-16220158
] 

Wei Zhou commented on CLOUDSTACK-10113:
---------------------------------------

We fixed by removing the /etc/cloudstack/vmpassword.json after passwd server update.



> password reset service on the VR, may reset passwords unintended
> ----------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10113
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10113
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Dag Sonstebo
>            Assignee: Daan Hoogland
>         Attachments: 0001-CLOUDSTACK-10113-merge-for-passwords-to-be-cheap-not.patch
>
>
> Environment tested:
> - CloudStack 4.9.3 on CentOS7.
> - KVM on CentOS7
> - System VM template from http://packages.shapeblue.com/systemvmtemplate/4.6/new/
>  
> In summary (more details can be provided):
> When a VM password reset is requested the databag processing on the VR updates the file
/etc/cloudstack/vmpassword.json:
>  
> # cat /etc/cloudstack/vmpassword.json
> {
>   "10.1.1.117": "YT42eJ",
>   "10.1.1.127": "Y34m89",
>   "10.1.1.46": "8Iyg3h",
>   "id": "vmpassword"
> }
>  
> When the VR password service starts / reloads this is loaded into the run configuration
file /var/cache/cloud/passwords-10.1.1.1:
>  
> # cat var/cache/cloud/passwords-10.1.1.1
> 10.1.1.46=8Iyg3h
> 10.1.1.127=Y34m89
> 10.1.1.117=YT42eJ
>  
> Once the VM has reset the password the password in question is removed from the cache
file – e.g after a password reset of 10.1.1.46 the contents are:
>  
> # cat var/cache/cloud/passwords-10.1.1.
> 10.1.1.127=Y34m89
> 10.1.1.117=YT42eJ
>  
> The service does however *not* remove the entry from /etc/cloudstack/vmpassword.json:
>  
> # cat /etc/cloudstack/vmpassword.json
> {
>   "10.1.1.117": "YT42eJ",
>   "10.1.1.127": "Y34m89",
>   "10.1.1.46": "8Iyg3h",
>   "id": "vmpassword"
> }
>  
> The user can now log in to the VM in question with the reset password, and set his own.
This password reset remains persistent across reboots.
>  
> However – if another password reset for a different VM is requested, then the full
content of /etc/cloudstack/vmpassword.json  is loaded back into the cache file /var/cache/cloud/passwords-10.1.1.1.
> In this example the password reset was done on VM with IP address 10.1.1.117:
>  
> # cat /etc/cloudstack/vmpassword.json
> {
>   "10.1.1.117": "aT6mVP",
>   "10.1.1.127": "Y34m89",
>   "10.1.1.46": "8Iyg3h",
>   "id": "vmpassword"
> }
>  
> # cat var/cache/cloud/passwords-10.1.1.
> 10.1.1.46=8Iyg3h
> 10.1.1.127=Y34m89
> 10.1.1.117=aT6mVP
>  
> If the first VM – 10.1.1.46 – now reboots it will have it’s manually reset password
reset again by the password service due to the vmpassword.json stored password being reloaded
into the cache file.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message