[Openstack] Handling of adminPass is arguably broken (essex)
Bryan D. Payne
bdpayne at acm.org
Thu Nov 1 15:41:18 UTC 2012
> The best idea I've heard for a secure windows password
> is the following:
>
> a) put a public key on the instance via metadata or config drive (for ease of use this could actually just be the ssh public key you normally use for logging into the vm).
> b) have a daemon in the windows instance that:
> * generates a random password
> * sets the administrator password to the random password
> * encrypts it with the public key
> * serves the encrypted password over https on a known port (say 9999)
> c) open up port (9999) in the instance's security group
> d) retrieve the encrypted password and decrypt it
> e) close port (9999) in the instances security group
+1 for this.
As a side note, there's probably work to be done to ensure that the
instance actually has good entropy and can create a truly random
password. Nevertheless, this entropy problem could be solved
separately from what Vish describes above.
-bryan
More information about the Openstack
mailing list