[Openstack] [Nova] What is the correct way to provide Windows instance password for user?
jeffty
wantwatering at gmail.com
Tue Jan 21 12:40:55 UTC 2014
Thanks a lot Juerg.
On 1/21/2014 7:08 PM, Juerg Haefliger wrote:
>
> On Tue, Jan 21, 2014 at 10:23 AM, jeffty <wantwatering at gmail.com
> <mailto:wantwatering at gmail.com>> wrote:
>>
>> Me 2:)
>>
>> Another question, how does customer decrypt the string with his
> private key?
>>
>> It requires that he has an environment with OpenSSL installed?
>
> Yes, you need OpenSSL inside the Windows instance to encrypt the
> password and also in the env where you want to decrypt it.
>
> To encrypt (in Unix notation):
>
> ssh-keygen -e -m pkcs8 -f <SSH public key> > id_rsa.pub8
> enc_pw=$(echo 'MyRandomPassword' | openssl rsautl -encrypt -inkey
> id_rsa.pub8 -pubin | openssl enc -base64)
>
> To decrypt:
>
> echo $enc_pw | openssl enc -base64 -d | openssl rsautl -decrypt -inkey
> <SSH private key>
>
> ...Juerg
>
>
>
>> On 1/21/2014 3:44 PM, Georgios Dimitrakakis wrote:
>> > Indeed this is very interesting!
>> > I would also like to see it if possible!
>> >
>> > Best,
>> >
>> > G.
>> >
>> > On Tue, 21 Jan 2014 08:22:44 +0100, Joe Topjian wrote:
>> >> Hi Juerg,
>> >>
>> >> Thats a really creative way of setting the password. Are you able to
>> >> share your powershell script?
>> >>
>> >> Thanks,
>> >> Joe
>> >>
>> >> On Tue, Jan 21, 2014 at 8:15 AM, Juerg Haefliger wrote:
>> >>
>> >>> On Tue, Jan 21, 2014 at 3:15 AM, jeffty wrote:
>> >>>>
>> >>>> Thanks Joe, It really helps.
>> >>> >
>> >>>> Will check them to find the proper way.
>> >>> >
>> >>>> Thanks.
>> >>>>
>> >>>> On 1/19/2014 3:32 PM, Joe Topjian wrote:
>> >>>> > Hello,
>> >>>> >
>> >>>> > Weve used this in the past:
>> >>>> >
>> >>>> > https://github.com/jordanrinke/openstack [2]
>> >>> > >
>> >>>> > It allows a user to type in an Administrator password in the
>> >>> Post Config
>> >>>> > text box when launching an instance in Horizon. The password is
>> >>> then
>> >>>> > retrieved when Windows first boots via the metadata service.
>> >>> > >
>> >>>> > We stopped using it for two reasons, though:
>> >>>> >
>> >>>> > 1. The password was permanently stored in the metadata server
>> >>>> > 2. There was no (default) way to let the user know that the
>> >>> password
>> >>> > > they chose was not a strong enough password
>> >>>> >
>> >>>> > We now just have users connect to the VNC console and set the
>> >>> password
>> >>>> > upon first boot.
>> >>>> >
>> >>>> > There have been a few discussions over the past year on the
>> >>> > > openstack-operators list about the cloudbase Windows cloud-init
>> >>> service.
>> >>>> > I think one or two people have been able to get the password
>> >>> injection
>> >>>> > portion working. It might be worth a shot to search the
>> >>> archives:
>> >>> > >
>> >>>> > http://www.gossamer-threads.com/lists/openstack/operators/ [3]
>> >>>> >
>> >>>> > Joe
>> >>>> >
>> >>>> >
>> >>> > > On Sun, Jan 19, 2014 at 4:21 AM, jeffty > > wrote:
>> >>>> >
>> >>>> > Thanks Jacob.
>> >>>> >
>> >>>> > Is there any openstack API guide for send instance
>> >>> password while
>> >>> > > launch it?
>> >>>> >
>> >>>> > Thanks.
>> >>>> >
>> >>>> > On 1/19/2014 11:08 AM, Jacob Godin wrote:
>> >>>> > > Yes, they must input a password every time. Its within
>> >>> Windows, they
>> >>> > > > must use the console.
>> >>>> > >
>> >>>> > > Sent from my mobile device
>> >>>> > >
>> >>>> > > On Jan 18, 2014 10:51 PM, "jeffty" >
>> >>>> > > >
>> >>> > > wrote:
>> >>>> > >
>> >>>> > > Thanks Jacob.
>> >>>> > >
>> >>>> > > Then the user must input a password for every
>> >>> windows instance he
>> >>>> > > launched?
>> >>> > > >
>> >>>> > > In other word different instance owns different
>> >>> password even
>> >>>> > they are
>> >>>> > > launched at the same time? e.g. Input 3 while
>> >>> launching
>> >>>> > instance in
>> >>> > > > Horizon portal for this windows image.
>> >>>> > >
>> >>>> > > If yes, how to send this password to the instance
>> >>> in portal?
>> >>>> > That should
>> >>>> > > be implemented by meta service.
>> >>> > > >
>> >>>> > > If no, all of the instances have the same default
>> >>> password, right?
>> >>>> > >
>> >>>> > >
>> >>>> > > On 1/19/2014 10:02 AM, Jacob Godin wrote:
>> >>> > > > > Weve used sysprep to have the administrator
>> >>> provide a password
>> >>>> > > when the
>> >>>> > > > instance is first booted.
>> >>>> > >
>> >>>
>> >>> We use a simple powershell script that generates a random
>> >>> Administrator password on first boot, pulls the SSH key from the
>> >>> metadata server, encrypts the password with the key and writes the
>> >>> encrypted password to the serial port.
>> >>>
>> >>> The user retrieves the encrypted password through the nova
>> >>> console-log and decrypts it with his private key. The image is setup
>> >>> such that the user is prompted to change the (random) password the
>> >>> first time he logs into the instance.
>> >>>
>> >>> ...Juerg
>> >>>
>> >>>> >
>> >>>> > _______________________________________________
>> >>>> > Mailing list:
>> >>>> >
>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [10]
>> >>> > > Post to : openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org> [11]
>> >>>> >
>> >>> > > Unsubscribe :
>> >>>> >
>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [13]
>> >>>> >
>> >>>> >
>> >>> >
>> >>>>
>> >>> > _______________________________________________
>> >>>> Mailing list:
>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [14]
>> >>> > Post to : openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org> [15]
>> >>> > Unsubscribe :
>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [16]
>> >>
>> >>
>> >>
>> >> Links:
>> >> ------
>> >> [1] mailto:wantwatering at gmail.com <mailto:wantwatering at gmail.com>
>> >> [2] https://github.com/jordanrinke/openstack
>> >> [3] http://www.gossamer-threads.com/lists/openstack/operators/
>> >> [4] mailto:wantwatering at gmail.com <mailto:wantwatering at gmail.com>
>> >> [5] mailto:wantwatering at gmail.com <mailto:wantwatering at gmail.com>
>> >> [6] mailto:wantwatering at gmail.com <mailto:wantwatering at gmail.com>
>> >> [7] mailto:wantwatering at gmail.com <mailto:wantwatering at gmail.com>
>> >> [8] mailto:wantwatering at gmail.com <mailto:wantwatering at gmail.com>
>> >> [9] mailto:wantwatering at gmail.com <mailto:wantwatering at gmail.com>
>> >> [10] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> >> [11] mailto:openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
>> >> [12] mailto:openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
>> >> [13] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> >> [14] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> >> [15] mailto:openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
>> >> [16] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> >> [17] mailto:juergh at gmail.com <mailto:juergh at gmail.com>
>> >
>>
>>
>> _______________________________________________
>> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
>> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list