[Openstack] [Nova] What is the correct way to provide Windows instance password for user?

Juerg Haefliger juergh at gmail.com
Tue Jan 21 11:08:25 UTC 2014


On Tue, Jan 21, 2014 at 10:23 AM, jeffty <wantwatering at gmail.com> wrote:
>
> Me 2:)
>
> Another question, how does customer decrypt the string with his private
key?
>
> It requires that he has an environment with OpenSSL installed?

Yes, you need OpenSSL inside the Windows instance to encrypt the password
and also in the env where you want to decrypt it.

To encrypt (in Unix notation):

ssh-keygen -e -m pkcs8 -f <SSH public key> > id_rsa.pub8
enc_pw=$(echo 'MyRandomPassword' | openssl rsautl -encrypt -inkey
id_rsa.pub8 -pubin | openssl enc -base64)

To decrypt:

echo $enc_pw | openssl enc -base64 -d | openssl rsautl -decrypt -inkey <SSH
private key>

...Juerg



> On 1/21/2014 3:44 PM, Georgios Dimitrakakis wrote:
> > Indeed this is very interesting!
> > I would also like to see it if possible!
> >
> > Best,
> >
> > G.
> >
> > On Tue, 21 Jan 2014 08:22:44 +0100, Joe Topjian wrote:
> >> Hi Juerg,
> >>
> >> Thats a really creative way of setting the password. Are you able to
> >> share your powershell script?
> >>
> >> Thanks,
> >> Joe
> >>
> >> On Tue, Jan 21, 2014 at 8:15 AM, Juerg Haefliger  wrote:
> >>
> >>> On Tue, Jan 21, 2014 at 3:15 AM, jeffty wrote:
> >>>>
> >>>> Thanks Joe, It really helps.
> >>> >
> >>>> Will check them to find the proper way.
> >>> >
> >>>> Thanks.
> >>>>
> >>>> On 1/19/2014 3:32 PM, Joe Topjian wrote:
> >>>> > Hello,
> >>>> >
> >>>> > Weve used this in the past:
> >>>> >
> >>>> > https://github.com/jordanrinke/openstack [2]
> >>> > >
> >>>> > It allows a user to type in an Administrator password in the
> >>> Post Config
> >>>> > text box when launching an instance in Horizon. The password is
> >>> then
> >>>> > retrieved when Windows first boots via the metadata service.
> >>> > >
> >>>> > We stopped using it for two reasons, though:
> >>>> >
> >>>> > 1. The password was permanently stored in the metadata server
> >>>> > 2. There was no (default) way to let the user know that the
> >>> password
> >>> > > they chose was not a strong enough password
> >>>> >
> >>>> > We now just have users connect to the VNC console and set the
> >>> password
> >>>> > upon first boot.
> >>>> >
> >>>> > There have been a few discussions over the past year on the
> >>> > > openstack-operators list about the cloudbase Windows cloud-init
> >>> service.
> >>>> > I think one or two people have been able to get the password
> >>> injection
> >>>> > portion working. It might be worth a shot to search the
> >>> archives:
> >>> > >
> >>>> > http://www.gossamer-threads.com/lists/openstack/operators/ [3]
> >>>> >
> >>>> > Joe
> >>>> >
> >>>> >
> >>> > > On Sun, Jan 19, 2014 at 4:21 AM, jeffty > > wrote:
> >>>> >
> >>>> >     Thanks Jacob.
> >>>> >
> >>>> >     Is there any openstack API guide for send instance
> >>> password while
> >>> > >     launch it?
> >>>> >
> >>>> >     Thanks.
> >>>> >
> >>>> >     On 1/19/2014 11:08 AM, Jacob Godin wrote:
> >>>> >     > Yes, they must input a password every time. Its within
> >>> Windows, they
> >>> > >     > must use the console.
> >>>> >     >
> >>>> >     > Sent from my mobile device
> >>>> >     >
> >>>> >     > On Jan 18, 2014 10:51 PM, "jeffty" >
> >>>> >     > >
> >>> > >     wrote:
> >>>> >     >
> >>>> >     >     Thanks Jacob.
> >>>> >     >
> >>>> >     >     Then the user must input a password for every
> >>> windows instance he
> >>>> >     >     launched?
> >>> > >     >
> >>>> >     >     In other word different instance owns different
> >>> password even
> >>>> >     they are
> >>>> >     >     launched at the same time? e.g. Input 3 while
> >>> launching
> >>>> >     instance in
> >>> > >     >     Horizon portal for this windows image.
> >>>> >     >
> >>>> >     >     If yes, how to send this password to the instance
> >>> in portal?
> >>>> >     That should
> >>>> >     >     be implemented by meta service.
> >>> > >     >
> >>>> >     >     If no, all of the instances have the same default
> >>> password, right?
> >>>> >     >
> >>>> >     >
> >>>> >     >     On 1/19/2014 10:02 AM, Jacob Godin wrote:
> >>> > >     >     > Weve used sysprep to have the administrator
> >>> provide a password
> >>>> >     >     when the
> >>>> >     >     > instance is first booted.
> >>>> >     >
> >>>
> >>> We use a simple powershell script that generates a random
> >>> Administrator password on first boot, pulls the SSH key from the
> >>> metadata server, encrypts the password with the key and writes the
> >>> encrypted password to the serial port.
> >>>
> >>> The user retrieves the encrypted password through the nova
> >>> console-log and decrypts it with his private key. The image is setup
> >>> such that the user is prompted to change the (random) password the
> >>> first time he logs into the instance.
> >>>
> >>> ...Juerg
> >>>
> >>>> >
> >>>> >     _______________________________________________
> >>>> >     Mailing list:
> >>>> >
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [10]
> >>> > >     Post to     : openstack at lists.openstack.org [11]
> >>>> >
> >>> > >     Unsubscribe :
> >>>> >
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [13]
> >>>> >
> >>>> >
> >>> >
> >>>>
> >>> > _______________________________________________
> >>>> Mailing list:
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [14]
> >>> > Post to     : openstack at lists.openstack.org [15]
> >>> > Unsubscribe :
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [16]
> >>
> >>
> >>
> >> Links:
> >> ------
> >> [1] mailto:wantwatering at gmail.com
> >> [2] https://github.com/jordanrinke/openstack
> >> [3] http://www.gossamer-threads.com/lists/openstack/operators/
> >> [4] mailto:wantwatering at gmail.com
> >> [5] mailto:wantwatering at gmail.com
> >> [6] mailto:wantwatering at gmail.com
> >> [7] mailto:wantwatering at gmail.com
> >> [8] mailto:wantwatering at gmail.com
> >> [9] mailto:wantwatering at gmail.com
> >> [10] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> [11] mailto:openstack at lists.openstack.org
> >> [12] mailto:openstack at lists.openstack.org
> >> [13] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> [14] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> [15] mailto:openstack at lists.openstack.org
> >> [16] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> [17] mailto:juergh at gmail.com
> >
>
>
> _______________________________________________
> Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140121/f1356c76/attachment.html>


More information about the Openstack mailing list