[Openstack-operators] Console security question when using nova-novncproxy to access console

Joe Topjian joe at topjian.net
Wed Oct 22 14:27:54 UTC 2014


Hi Niall,

It looks like vnc password support was removed from the vmware driver last
October:

https://github.com/openstack/nova/commit/058ea40e7b7fb2181a2058e6118dce3f051e1ff3

For libvirt, there is an option in qemu.conf for "vnc_password", but I'm
not sure how it would work with OpenStack.

Thanks,
Joe


On Tue, Oct 21, 2014 at 9:30 PM, Niall Power <niall.power at oracle.com> wrote:

> Hi all,
>
> I have a question about a security consideration on a compute node when
> using nova-novncproxy for console access.
>
> Is there any existing mechanism within Nova to automatically authenticate
> against the VNC console an instance
> (I'm talking about plain old VNC authentication) or to generally prevent
> unauthorized local user accounts on the compute-node from accessing the VNC
> console of an instance?
>
> I understand that nova-novnc proxy and websockify bridge between the
> public network and the private internal/infrastructure network of the
> compute-node using wss:// to secure and encrypt the connection over the
> public network. I also understand that VNC authentication is comparatively
> very weak....
>
> This is perhaps only an issue when the compute-node is also permitting
> traditional Unix type user logins.
> Let's say we have an instance running on the compute-node and the
> hypervisor or container manager serves out the console over VNC on a known
> port and the tenant has authenticated and logged in on the console using
> Horizon, perhaps as the administrator. A local user on the compute node, if
> they specified the correct port, could in theory then access the console
> and the administrative account of that instance without needing to
> authenticate.
>
> VNC authentication using password (and optionally username) would seem
> like the traditional way to prevent such unauthorized access. I can't find
> anything within the Nova code base that seems to cater for password
> authentication with the VNC server. For example the vmware nova driver
> returns the following dictionary
> of parameters for an instance console in vmops.py:get_vnc_console():
>                {'host': CONF.vmware.host_ip,
>                 'port': self._get_vnc_port(vm_ref),
>                 'internal_access_path': None}
>
> No suggestion of a password to authenticate with the VNC server. Is this
> intentionally not supported, lacking, or is there perhaps simply a better
> way to address this problem?
>
> Thanks in advance!
> Niall Power
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20141022/fb265856/attachment.html>


More information about the OpenStack-operators mailing list