<div dir="ltr"><br>On Tue, Jan 21, 2014 at 10:23 AM, jeffty <<a href="mailto:wantwatering@gmail.com">wantwatering@gmail.com</a>> wrote:<br>><br>> Me 2:)<br>><br>> Another question, how does customer decrypt the string with his private key?<br>
><br>> It requires that he has an environment with OpenSSL installed?<br><br>Yes, you need OpenSSL inside the Windows instance to encrypt the password and also in the env where you want to decrypt it.<div><br></div>
<div>To encrypt (in Unix notation):</div><div><br><div><div>ssh-keygen -e -m pkcs8 -f <SSH public key> > id_rsa.pub8</div><div>enc_pw=$(echo 'MyRandomPassword' | openssl rsautl -encrypt -inkey id_rsa.pub8 -pubin | openssl enc -base64)<br>
</div><div><br></div><div>To decrypt:</div><div><br></div><div>echo $enc_pw | openssl enc -base64 -d | openssl rsautl -decrypt -inkey <SSH private key></div><div><br></div><div>...Juerg</div><div><br></div><div><br>
</div><br>> On 1/21/2014 3:44 PM, Georgios Dimitrakakis wrote:<br>> > Indeed this is very interesting!<br>> > I would also like to see it if possible!<br>> ><br>> > Best,<br>> ><br>> > G.<br>
> ><br>> > On Tue, 21 Jan 2014 08:22:44 +0100, Joe Topjian wrote:<br>> >> Hi Juerg,<br>> >><br>> >> Thats a really creative way of setting the password. Are you able to<br>> >> share your powershell script?<br>
> >><br>> >> Thanks,<br>> >> Joe<br>> >><br>> >> On Tue, Jan 21, 2014 at 8:15 AM, Juerg Haefliger wrote:<br>> >><br>> >>> On Tue, Jan 21, 2014 at 3:15 AM, jeffty wrote:<br>
> >>>><br>> >>>> Thanks Joe, It really helps.<br>> >>> ><br>> >>>> Will check them to find the proper way.<br>> >>> ><br>> >>>> Thanks.<br>
> >>>><br>> >>>> On 1/19/2014 3:32 PM, Joe Topjian wrote:<br>> >>>> > Hello,<br>> >>>> ><br>> >>>> > Weve used this in the past:<br>> >>>> ><br>
> >>>> > <a href="https://github.com/jordanrinke/openstack">https://github.com/jordanrinke/openstack</a> [2]<br>> >>> > ><br>> >>>> > It allows a user to type in an Administrator password in the<br>
> >>> Post Config<br>> >>>> > text box when launching an instance in Horizon. The password is<br>> >>> then<br>> >>>> > retrieved when Windows first boots via the metadata service.<br>
> >>> > ><br>> >>>> > We stopped using it for two reasons, though:<br>> >>>> ><br>> >>>> > 1. The password was permanently stored in the metadata server<br>
> >>>> > 2. There was no (default) way to let the user know that the<br>> >>> password<br>> >>> > > they chose was not a strong enough password<br>> >>>> ><br>
> >>>> > We now just have users connect to the VNC console and set the<br>> >>> password<br>> >>>> > upon first boot.<br>> >>>> ><br>> >>>> > There have been a few discussions over the past year on the<br>
> >>> > > openstack-operators list about the cloudbase Windows cloud-init<br>> >>> service.<br>> >>>> > I think one or two people have been able to get the password<br>> >>> injection<br>
> >>>> > portion working. It might be worth a shot to search the<br>> >>> archives:<br>> >>> > ><br>> >>>> > <a href="http://www.gossamer-threads.com/lists/openstack/operators/">http://www.gossamer-threads.com/lists/openstack/operators/</a> [3]<br>
> >>>> ><br>> >>>> > Joe<br>> >>>> ><br>> >>>> ><br>> >>> > > On Sun, Jan 19, 2014 at 4:21 AM, jeffty > > wrote:<br>> >>>> ><br>
> >>>> > Thanks Jacob.<br>> >>>> ><br>> >>>> > Is there any openstack API guide for send instance<br>> >>> password while<br>> >>> > > launch it?<br>
> >>>> ><br>> >>>> > Thanks.<br>> >>>> ><br>> >>>> > On 1/19/2014 11:08 AM, Jacob Godin wrote:<br>> >>>> > > Yes, they must input a password every time. Its within<br>
> >>> Windows, they<br>> >>> > > > must use the console.<br>> >>>> > ><br>> >>>> > > Sent from my mobile device<br>> >>>> > ><br>
> >>>> > > On Jan 18, 2014 10:51 PM, "jeffty" ><br>> >>>> > > ><br>> >>> > > wrote:<br>> >>>> > ><br>> >>>> > > Thanks Jacob.<br>
> >>>> > ><br>> >>>> > > Then the user must input a password for every<br>> >>> windows instance he<br>> >>>> > > launched?<br>
> >>> > > ><br>> >>>> > > In other word different instance owns different<br>> >>> password even<br>> >>>> > they are<br>> >>>> > > launched at the same time? e.g. Input 3 while<br>
> >>> launching<br>> >>>> > instance in<br>> >>> > > > Horizon portal for this windows image.<br>> >>>> > ><br>> >>>> > > If yes, how to send this password to the instance<br>
> >>> in portal?<br>> >>>> > That should<br>> >>>> > > be implemented by meta service.<br>> >>> > > ><br>> >>>> > > If no, all of the instances have the same default<br>
> >>> password, right?<br>> >>>> > ><br>> >>>> > ><br>> >>>> > > On 1/19/2014 10:02 AM, Jacob Godin wrote:<br>> >>> > > > > Weve used sysprep to have the administrator<br>
> >>> provide a password<br>> >>>> > > when the<br>> >>>> > > > instance is first booted.<br>> >>>> > ><br>> >>><br>
> >>> We use a simple powershell script that generates a random<br>> >>> Administrator password on first boot, pulls the SSH key from the<br>> >>> metadata server, encrypts the password with the key and writes the<br>
> >>> encrypted password to the serial port.<br>> >>><br>> >>> The user retrieves the encrypted password through the nova<br>> >>> console-log and decrypts it with his private key. The image is setup<br>
> >>> such that the user is prompted to change the (random) password the<br>> >>> first time he logs into the instance.<br>> >>><br>> >>> ...Juerg<br>> >>><br>> >>>> ><br>
> >>>> > _______________________________________________<br>> >>>> > Mailing list:<br>> >>>> ><br>> >>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [10]<br>
> >>> > > Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a> [11]<br>> >>>> ><br>> >>> > > Unsubscribe :<br>> >>>> ><br>
> >>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [13]<br>> >>>> ><br>> >>>> ><br>
> >>> ><br>> >>>><br>> >>> > _______________________________________________<br>> >>>> Mailing list:<br>> >>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [14]<br>
> >>> > Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a> [15]<br>> >>> > Unsubscribe :<br>> >>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [16]<br>
> >><br>> >><br>> >><br>> >> Links:<br>> >> ------<br>> >> [1] mailto:<a href="mailto:wantwatering@gmail.com">wantwatering@gmail.com</a><br>> >> [2] <a href="https://github.com/jordanrinke/openstack">https://github.com/jordanrinke/openstack</a><br>
> >> [3] <a href="http://www.gossamer-threads.com/lists/openstack/operators/">http://www.gossamer-threads.com/lists/openstack/operators/</a><br>> >> [4] mailto:<a href="mailto:wantwatering@gmail.com">wantwatering@gmail.com</a><br>
> >> [5] mailto:<a href="mailto:wantwatering@gmail.com">wantwatering@gmail.com</a><br>> >> [6] mailto:<a href="mailto:wantwatering@gmail.com">wantwatering@gmail.com</a><br>> >> [7] mailto:<a href="mailto:wantwatering@gmail.com">wantwatering@gmail.com</a><br>
> >> [8] mailto:<a href="mailto:wantwatering@gmail.com">wantwatering@gmail.com</a><br>> >> [9] mailto:<a href="mailto:wantwatering@gmail.com">wantwatering@gmail.com</a><br>> >> [10] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> >> [11] mailto:<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>> >> [12] mailto:<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>> >> [13] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> >> [14] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>> >> [15] mailto:<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> >> [16] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>> >> [17] mailto:<a href="mailto:juergh@gmail.com">juergh@gmail.com</a><br>
> ><br>><br>><br>> _______________________________________________<br>> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></div>
</div></div>