Hello all and thanks all for the helps, documents and replies.

I added the retrieve password, created SSH key.
At first I tried with ECDSA, but later I figured out it should be RSA.
Now I'm able to get the password both from horizon and cli.

Thanks all for the suggestion.

Regards,
Ahmad

On Tue, Oct 14, 2025 at 9:01 PM Ahmad Milad Pour <miladpourahmad94@gmail.com> wrote:
Hello there and thanks all.

Regarding Dmitriy Rabotyagov, I read your suggestion but I was on my mobile and was not able to test.

I'll try your way and get you back if it worked or I wasn't able to implement it correctly.

I read all the emails and figured out very useful information.

Regards,
Ahmad

On Tue, Oct 14, 2025 at 7:59 PM Sean Mooney <smooney@redhat.com> wrote:

On 14/10/2025 17:26, Sean Mooney wrote:
>
> On 14/10/2025 17:07, Dmitriy Rabotyagov wrote:
>> Hi Ahmad,
>>
>> I replied in another thread, which suggested not to use metadata at
>> all, as it's not designed to store or transmit passwords at all,
>> especially in light of https://wiki.openstack.org/wiki/OSSN/OSSN-0074
>> But likely you have not received it.
>>
>> But I think there is actually a safe way (which is still discouraged
>> in general) of having a password auth on login
>> through os-server-password API in Nova:
>> https://docs.openstack.org/api-ref/compute/#servers-password-servers-os-server-password
>>
>>
>> Though, it would need a modification of all images, or supplying more
>> metadata to them.
>>
>> 1. You'd need to have a script like this:
>> https://paste.openstack.org/show/bn7fIrRf8Olkni9cI4QT/
>> 2. Add to cloud.cfg:
>> https://paste.openstack.org/show/b1kcVmdbkWC2OUZL9yg3/
>> 3. In Horizon local_settings add "OPENSTACK_ENABLE_PASSWORD_RETRIEVE
>> = True"
>>
>> What this flow will do:
>> 1. A random password is being generated and set for user `clouduser`
>> 2. A password is being encrypted with public part of SSH key, which
>> you supplied for instance
>> 3. Encrypted version of the password is sent back to the metadata
>> 4. In horizon you can fetch the password from the metadata and
>> decrypt it using your SSH private key
>>
>> I'd suggest to additionally modify the script/image to expire the
>> password after the first login, as well as to prohibit password auth
>> via SSH.
>>
>> But I can totally get why password auth might be valuable, especially
>> in cases where instance get misconfigured and need to have a way to
>> login via console.
>
> yes so this is a mostly undocumetned feature that was impletened
> specficly for widnows guest in cloud-base init
>
> it does however work for any instance as long as you have a first boot
> script that can generate the password and post it back to the metadata
> endpoint
> encypted via the public key
>
> the openstack client supprot decryypting the password with your ssh
> private key locally to print it in plain text.
>
> the final way to set a password is via the qemu guest agent.
> if you have the qemu guest agent installed you can use the nova api to
> set the admin password on the Administor or root user depending
> on if its windows or linux.
>
>
> using ssh keys or x509 certs is still the prefered way to access a
> guest but you can do it other ways even if they are less secure.

this is the api that is used to set the admin password for a server

https://docs.openstack.org/api-ref/compute/#change-administrative-password-changepassword-action

again that requires the qemu guest agent to be installed in the guest
image for it to work so you still have to modify your images but
that at least is typically insalled in most cloud images by default.

>
>>
>> вт, 14 окт. 2025 г. в 17:44, Ahmad Milad Pour
>> <miladpourahmad94@gmail.com>:
>>
>>     Hello Hamid,
>>
>>     Thanks for the reply. I know this way, but I'm looking for another
>>     way to pass the password as metadata.
>>
>>     Do you know any other ways?
>>
>>     Regards,
>>     Ahmad
>>
>>     On Tue, Oct 14, 2025 at 1:50 PM <hamid.lotfi@gmail.com> wrote:
>>
>>         Hi Ahmad,
>>         When creating an instance in OpenStack, you can use the
>>         --user-data option to pass a cloud-init configuration file to
>>         the instance at boot time. This file allows you to automate
>>         initial setup tasks such as setting a user password,
>>         configuring the timezone, installing packages, or running
>>         custom scripts.
>>
>> https://docs.openstack.org/nova/2024.1/user/metadata.html#user-data
>>
>>         Example:
>>         cloud-init.yml
>>         =============
>>         #cloud-config
>>         timezone: Asia/Tehran
>>         user: ahmad
>>         password: ahmad
>>         chpasswd: { expire: False }
>>         ssh_pwauth: True
>>
>>         Create Instance:
>>         openstack server create --image ubuntu-x86_64 --flavor ubuntu
>>         --network  internal  --user-data cloud-init.yml vm1
>>