Open Stack

Ok, sorry for my lack of knowledge of windows + passwords.

Windows passwords are based on a hashed format correct (LM or NTLM?).
Would it be possible to send this as user-data over the metadata service
(either via the webservice or the cfg-drive), then provide a way to get
that hash into the windows security service (not sure what its called).
Even though this hash might be viewable a hash shouldn't be easily cracked
(assuming good password choosing here).

If that¹s not the case, I think others were proposing of methods to get
more 'data' on the config-drive, which it seems like yours is a case of
(although I'm not sure if the cfg-drive should be 'r/w', but this can just
be a option). Would u want to take that on with your proposal as well?

Something that removes the restrictions of 'inject_data_into_fs' and
instead could just be a set of simple modular classes that can be given a
instance + metadata for that instance and a mount location and can write
in whatever format they want. I could see there being a
'LegacyFilesystemInjector' that writes the current format to a filesystem,
a 'ConfigDriveInjector' and a subclass of the later to handle your case.
The injector to use could be another plugin (with the given 2 stated being
included by default in openstack).

Thoughts?

On 10/31/12 7:04 PM, "Lars Kellogg-Stedman" <lars at seas.harvard.edu> wrote:

>On Wed, Oct 31, 2012 at 06:17:29PM -0700, Joshua Harlow wrote:
>> Just fyi, the cloud-init format 'spec' has something similar that
>>bypasses
>> the file injection (which is a bad/insecure/incompatible concept that
>> needs to be gotten rid of imho) by having the following syntax it
>> understands:
>> 
>> 
>>http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/view/head:/d
>>oc
>> /examples/cloud-config-user-groups.txt
>
>The cloud-init stuff works via the user-data attribute available from
>the metadata server.  This makes it unsuitable for security
>credentials, since *anyone* on the instance can query the metadata
>server.
>
>Injection via files on a configuration disk seems to me the best way
>to handle security credentials like this, because disks in many cases
>require privileges to mount on a system and the configuration script
>can delete the credentials file after processing it.
>
>> Is there anyway a windows version of cloud-init could be done, either
>> ported, or patched, or a service like cloud-init could be added to
>>windows
>> images (using a startup program in the windows image that could just be
>>a
>> call-out to a python interpreter or something different...).
>
>As I said, this is pretty much what we're doing to provision an ssh
>key for administrator access to our windows host.
>
>-- 
>Lars Kellogg-Stedman <lars at seas.harvard.edu>  |
>Senior Technologist                           |
>http://ac.seas.harvard.edu/
>Academic Computing                            |
>http://code.seas.harvard.edu/
>Harvard School of Engineering                 |
>  and Applied Sciences                        |
>