[openstack-dev] Windows instances with password-less authentication

Alessandro Pilotti apilotti at cloudbasesolutions.com
Wed Dec 18 02:52:10 UTC 2013

Hi guys,

We got password-less authentication properly working in Windows, implemented and included in Cloudbase-Init.

Here’s a blog post explaining how it works:

And the gory details:

It works with the existing OpenStack bits, but IMO we need to improve the certificate support in Nova and Horizon.

To cut it short, Windows uses a service called WinRM, which can use HTTPS as transport option and can be configured to use X509
certificates for authentication.
The result is that you can get a remote PowerShell by simply having the certificate + private key, without needing the user's password.

What’s happening here is very similar to how keypairs are used, especially considering that for the time being we are using self signed

Since we need to pass the x509 certificate via metadata and since the custom metadata fields can get up to 255 chars,
we got to the following working solution which is IMO at the limit between being almost usable and a crazy hack. :-)

declare -a CERT=(`openssl x509 -inform pem -in your_cert.pem -outform der | base64 -w 0 |sed -r 's/(.{255})/\1\n/g'`)
 nova boot  --flavor 2 --image "your_windows_image" --key-name key1 vm1 \
--meta admin_cert0="${CERT[0]}" \
--meta admin_cert1="${CERT[1]}" \
--meta admin_cert2="${CERT[2]}" \
--meta admin_cert3="${CERT[3]}" \
--meta admin_cert4="${CERT[4]}”

As an alternative, to make life easier for the users, we accept the X509 PEM file in the user_data as well.

What we really need to improve the user experience is to manage the certificates in a way similar to how we manage keypairs today.

Some initial discussion ideas:

1) improve Nova keypairs to support X509 certs as well, non only simple keypairs

2) improve nova-cert to handle client side certificates. This would give the additional advantage
to manage certificates with a centralized CA, not only self signed certificates.

On the nova client side, we need to pass an option to nova boot similar (or in alternative) to what we do for the keypairs today.
Likewise, in Horizon there must be a way to choose the certificate when booting a VM (with a select or similar UI element, see keypair).

Note1: the certificate used for the client auth requires 2 enhanced key usage OIDs: clientAuth and (UPN).
See here for how to generate one with OpenSSL: https://github.com/cloudbase/winrm-scripts/blob/master/create-winrm-client-cert.sh

Note2: since SSH can use X509 certificates, this topic might go beyond the WIndows specific case.

Ok, looking forward to hear your thoughts!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131218/07750dbb/attachment.html>

More information about the OpenStack-dev mailing list