openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #18095
Re: Handling of adminPass is arguably broken (essex)
On Oct 31, 2012, at 7:04 PM, Lars Kellogg-Stedman <lars@xxxxxxxxxxxxxxxx> wrote:
> Injection via files on a configuration disk seems to me the best way
> to handle security credentials like this, because disks in many cases
> require privileges to mount on a system and the configuration script
> can delete the credentials file after processing it.
Honestly I think the entire idea of passing a password in to the instance at boot
time is insecure and flawed. The best idea I've heard for a secure windows password
is the following:
a) put a public key on the instance via metadata or config drive (for ease of use this could actually just be the ssh public key you normally use for logging into the vm).
b) have a daemon in the windows instance that:
* generates a random password
* sets the administrator password to the random password
* encrypts it with the public key
* serves the encrypted password over https on a known port (say 9999)
c) open up port (9999) in the instance's security group
d) retrieve the encrypted password and decrypt it
e) close port (9999) in the instances security group
for extra security you could use make daemon run for a certain amount of time on initial boot or have a a specific url on the port that stops the daemon.
If we could collaborate on a daemon that does this on the guest side then we could
actually create a nova command that would do all of the above and display the password
to the user. In fact this would work for non-windows vms as well.
nova get-password <uuid>
Vish
Follow ups
References