openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #18094
Re: Handling of adminPass is arguably broken (essex)
Ok, sorry for my lack of knowledge of windows + passwords.
Windows passwords are based on a hashed format correct (LM or NTLM?).
Would it be possible to send this as user-data over the metadata service
(either via the webservice or the cfg-drive), then provide a way to get
that hash into the windows security service (not sure what its called).
Even though this hash might be viewable a hash shouldn't be easily cracked
(assuming good password choosing here).
If that¹s not the case, I think others were proposing of methods to get
more 'data' on the config-drive, which it seems like yours is a case of
(although I'm not sure if the cfg-drive should be 'r/w', but this can just
be a option). Would u want to take that on with your proposal as well?
Something that removes the restrictions of 'inject_data_into_fs' and
instead could just be a set of simple modular classes that can be given a
instance + metadata for that instance and a mount location and can write
in whatever format they want. I could see there being a
'LegacyFilesystemInjector' that writes the current format to a filesystem,
a 'ConfigDriveInjector' and a subclass of the later to handle your case.
The injector to use could be another plugin (with the given 2 stated being
included by default in openstack).
Thoughts?
On 10/31/12 7:04 PM, "Lars Kellogg-Stedman" <lars@xxxxxxxxxxxxxxxx> wrote:
>On Wed, Oct 31, 2012 at 06:17:29PM -0700, Joshua Harlow wrote:
>> Just fyi, the cloud-init format 'spec' has something similar that
>>bypasses
>> the file injection (which is a bad/insecure/incompatible concept that
>> needs to be gotten rid of imho) by having the following syntax it
>> understands:
>>
>>
>>http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/view/head:/d
>>oc
>> /examples/cloud-config-user-groups.txt
>
>The cloud-init stuff works via the user-data attribute available from
>the metadata server. This makes it unsuitable for security
>credentials, since *anyone* on the instance can query the metadata
>server.
>
>Injection via files on a configuration disk seems to me the best way
>to handle security credentials like this, because disks in many cases
>require privileges to mount on a system and the configuration script
>can delete the credentials file after processing it.
>
>> Is there anyway a windows version of cloud-init could be done, either
>> ported, or patched, or a service like cloud-init could be added to
>>windows
>> images (using a startup program in the windows image that could just be
>>a
>> call-out to a python interpreter or something different...).
>
>As I said, this is pretty much what we're doing to provision an ssh
>key for administrator access to our windows host.
>
>--
>Lars Kellogg-Stedman <lars@xxxxxxxxxxxxxxxx> |
>Senior Technologist |
>http://ac.seas.harvard.edu/
>Academic Computing |
>http://code.seas.harvard.edu/
>Harvard School of Engineering |
> and Applied Sciences |
>
References