[openstack-dev] Supporting SSH host certificates

Jeremy Stanley fungi at yuggoth.org
Fri Oct 6 19:35:04 UTC 2017

On 2017-10-06 13:49:43 -0500 (-0500), Giuseppe de Candia wrote:
> Isn't user-data by definition available via the Metadata API,
> which isn't considered secure:
> https://wiki.openstack.org/wiki/OSSN/OSSN-0074

It depends on who you are. If you're the one deploying/running nova
then you can take steps to make sure you set the environment up
correctly so that won't be a problem.

The background on OSSN-0074 is that if you mis-configure the
metadata service or do a bad job designing the network it's on, then
unauthorized users can get access to others' metadata. The OSSN is
sensationalizing the matter in an effort to get those deploying or
using OpenStack to take notice and double-check their settings and
network design, but the fundamental disconnect is that if you enable
use_forwarded_for in the config then you'd better have an actual
proxy fronting the service which (as they usually do) removes or
rewrites any X-Forwarded-For header to its own IP address. This is
basic network operations knowledge, but not everyone running
OpenStack is careful to consider the consequences of accidentally
enabling a "feature" they're not relying on.

See https://launchpad.net/bugs/1563954 for the gory details.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171006/14d2caec/attachment.sig>

More information about the OpenStack-dev mailing list