Hello all and thanks all for the helps, documents and replies. I added the retrieve password, created SSH key. At first I tried with ECDSA, but later I figured out it should be RSA. Now I'm able to get the password both from horizon and cli. Thanks all for the suggestion. Regards, Ahmad On Tue, Oct 14, 2025 at 9:01 PM Ahmad Milad Pour <miladpourahmad94@gmail.com> wrote:
Hello there and thanks all.
Regarding Dmitriy Rabotyagov, I read your suggestion but I was on my mobile and was not able to test.
I'll try your way and get you back if it worked or I wasn't able to implement it correctly.
I read all the emails and figured out very useful information.
Regards, Ahmad
On Tue, Oct 14, 2025 at 7:59 PM Sean Mooney <smooney@redhat.com> wrote:
On 14/10/2025 17:26, Sean Mooney wrote:
On 14/10/2025 17:07, Dmitriy Rabotyagov wrote:
Hi Ahmad,
I replied in another thread, which suggested not to use metadata at all, as it's not designed to store or transmit passwords at all, especially in light of https://wiki.openstack.org/wiki/OSSN/OSSN-0074 But likely you have not received it.
But I think there is actually a safe way (which is still discouraged in general) of having a password auth on login through os-server-password API in Nova:
https://docs.openstack.org/api-ref/compute/#servers-password-servers-os-serv...
Though, it would need a modification of all images, or supplying more metadata to them.
1. You'd need to have a script like this: https://paste.openstack.org/show/bn7fIrRf8Olkni9cI4QT/ 2. Add to cloud.cfg: https://paste.openstack.org/show/b1kcVmdbkWC2OUZL9yg3/ 3. In Horizon local_settings add "OPENSTACK_ENABLE_PASSWORD_RETRIEVE = True"
What this flow will do: 1. A random password is being generated and set for user `clouduser` 2. A password is being encrypted with public part of SSH key, which you supplied for instance 3. Encrypted version of the password is sent back to the metadata 4. In horizon you can fetch the password from the metadata and decrypt it using your SSH private key
I'd suggest to additionally modify the script/image to expire the password after the first login, as well as to prohibit password auth via SSH.
But I can totally get why password auth might be valuable, especially in cases where instance get misconfigured and need to have a way to login via console.
yes so this is a mostly undocumetned feature that was impletened specficly for widnows guest in cloud-base init
it does however work for any instance as long as you have a first boot script that can generate the password and post it back to the metadata endpoint encypted via the public key
the openstack client supprot decryypting the password with your ssh private key locally to print it in plain text.
the final way to set a password is via the qemu guest agent. if you have the qemu guest agent installed you can use the nova api to set the admin password on the Administor or root user depending on if its windows or linux.
using ssh keys or x509 certs is still the prefered way to access a guest but you can do it other ways even if they are less secure.
this is the api that is used to set the admin password for a server
https://docs.openstack.org/api-ref/compute/#change-administrative-password-c...
again that requires the qemu guest agent to be installed in the guest image for it to work so you still have to modify your images but that at least is typically insalled in most cloud images by default.
вт, 14 окт. 2025 г. в 17:44, Ahmad Milad Pour <miladpourahmad94@gmail.com>:
Hello Hamid,
Thanks for the reply. I know this way, but I'm looking for another way to pass the password as metadata.
Do you know any other ways?
Regards, Ahmad
On Tue, Oct 14, 2025 at 1:50 PM <hamid.lotfi@gmail.com> wrote:
Hi Ahmad, When creating an instance in OpenStack, you can use the --user-data option to pass a cloud-init configuration file to the instance at boot time. This file allows you to automate initial setup tasks such as setting a user password, configuring the timezone, installing packages, or running custom scripts.
https://docs.openstack.org/nova/2024.1/user/metadata.html#user-data
Example: cloud-init.yml ============= #cloud-config timezone: Asia/Tehran user: ahmad password: ahmad chpasswd: { expire: False } ssh_pwauth: True
Create Instance: openstack server create --image ubuntu-x86_64 --flavor ubuntu --network internal --user-data cloud-init.yml vm1