[openstack-dev] [Nova] [Spec freeze exception] Keypair support for X509 public key certificates
Alessandro Pilotti
apilotti at cloudbasesolutions.com
Sat Jul 19 00:19:28 UTC 2014
Hi everyone,
I’d like to propose the following Nova blueprint spec for an expection:
https://review.openstack.org/#/c/105034
Nova keypairs are mostly used by Linux guests to handle user authentication via
SSH public key authentication without incurring in the management and security
overhead that passwords require.
Public keys are provided to the guests as part of the metadata and included in
the guest configuration by tools like cloud-init.
Windows operating systems don't support natively SSH and thus authentication
requires the usage of passwords unless the image deployer chooses to include a
3rd party unsupported SSH service port, which implies incurring in potential
security and support issues.
Windows supports natively password-less authentication for WinRM by using X509
certificates in place of SSH keys, including Powershell remoting as detailed
here: http://www.cloudbase.it/windows-without-passwords-in-openstack/
>From a practical perspective, X509 certificates are used by WinRM in a way
which can be considered consistent with the usage of SSH keys on Linux, as both
are based on public / private keypairs. For simplicity, since WinRM can be
configured to accept self signed certificates, we will omit the implications
of certificate chain validation.
While Nova currently supports SSH keypairs only, the API can be extended to
support x509 certificates, while maintaining full backwards compatibility.
The implementation is complete and ready to be submitted for review
as soon as the blueprint is approved.
Thanks,
Alessandro
More information about the OpenStack-dev
mailing list