Open Stack

We use OpenStack as follows for most interactive use cases


  *   Our Kerberos server is provided by AD
  *   We kinit/klog to get a Kerberos ticket
  *   Our openrc definitions are set up to use a Keystone authentication with Kerberos

This uses the OS_AUTH_TYPE=v3kerberos environment.

An old blog on this is at http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html

Adam has also done some nice blogs such as http://adam.younglogic.com/2014/05/keystone-and-kerberos/

The summary is if you have a Kerberos enabled AD nearby and can live with the OSC openstack client, you can avoid the password in clear text in your environment.

Tim


From: Jagga Soorma <jagga13 at gmail.com<mailto:jagga13 at gmail.com>>
Date: Wednesday 23 March 2016 at 18:01
To: Tim Bell <Tim.Bell at cern.ch<mailto:Tim.Bell at cern.ch>>
Cc: "CARVER, PAUL" <pc2929 at att.com<mailto:pc2929 at att.com>>, openstack <openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>>
Subject: Re: [Openstack] password in clear text

Thanks for your response Tim.  I do have our openstack environment integrated into AD.  I basically am trying to see if there is a alternative to storing the password in clear text in a environment variable.  With kerberos or AD are you saying that we would just get a ticket by authenticating once and then use that ticket somehow for openstack commands?

Thanks.

On Wed, Mar 23, 2016 at 9:17 AM, Tim Bell <Tim.Bell at cern.ch<mailto:Tim.Bell at cern.ch>> wrote:

The difficulty with the environment variables is that the administrator of the box you are logged into can read the environment using ps auxwwww.

There has been some work done to support storing all the variables in a file (which would be an environment variable) such that the CLIs read from the file rather than needing it in the environment. This at least minimises the access to the home directory file servers rather than the root admin on the box you are using.

Kerberos is very nice, if you have access to an active directory or a local kerberos server, it’s worth a look.

Tim



On 23/03/16 16:40, "CARVER, PAUL" <pc2929 at att.com<mailto:pc2929 at att.com>> wrote:

>Jagga Soorma wrote:
>
>>Currently when using the openstack api I have to save my password in clear text in
>>the OS_PASSWORD environment variable.  Is there a more secure way to use the
>>openstack api without having to either store this password in clear text or enter the
>>password manually every time I run a openstack command?  Is there some way that
>>I can use a token id?  I have tried but can't seem to get it to work and not sure what
>>else is possible.
>
>If the token will allow you to use services and you store the token in clear text then
>you’ve only managed to rename your password to token without adding any security.
>
>What you need to think about is what are you willing to type and when are you willing
>to type it. I don’t know if anyone has a polished “official” implementation, but a couple
>of options:
>
>1) Configure one of your login scripts to prompt for your OpenStack password and
>    export it rather than putting it directly in a login script.
>
>2) Encrypt your home directory and store your "clear text" password in a file in your
>     encrypted home directory
>
>3) Put your password in a file on a USB flash drive (in an encrypted file if you want
>     a double layer of security) and create a wrapper script that reads you password
>     from a fixed location on USB drive when you run a command. (keep the USB drive
>     in a physical safe when not in use)
>
>
>_______________________________________________
>Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>Post to     : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
>Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160323/56350266/attachment.html>