JoaoJandre commented on issue #6861: URL: https://github.com/apache/cloudstack/issues/6861#issuecomment-1412374019
@DaanHoogland and @Pavan-Nambi, I think this is moving in the wrong direction; after reading @nxsbi 's request, they do not seem to want ACS to generate a strong random password. What they want is to force their users to comply with a password policy in their VM's passwords. ACS's generated passwords are shown in the management server logs, they are also stored in plaintext on the database, in the `job_result` column of the `async_job` table; therefore, it is not a good practice to allow your users to keep these generated passwords, even if they are "strong" passwords. They (the passwords) are also stored in the VR in plain text, in the /var/cache/processed directory, in files with the pattern `vm_password.json.*`. Therefore, these passwords will always be subject to leak due to internal attacks (e.g. an admin that has access to the cloud infra) Instead, @nxsbi could use `cloud-init` to configure the target OS to set a password policy; then, when users log in, they are forced to create a password and comply with the company's password policy. Some of our clients use `cloud-init` to force their users to change their password as soon as they log into their VM's. To achieve this, one can (in Linux): 1. Access a VM with cloud-init. 2. Create a script file: `sudo touch /var/lib/cloud/scripts/per-instance/reset_password.sh` 3. Add the Linux command to expire the user's password: ``` #!/bin/bash passwd --e <default-user> ``` 4. Make the file executable: `sudo chmod +x /var/lib/cloud/scripts/per-instance/reset_password.sh` 5. Create a template based on this VM. All VMs created based on this template will force the user to change the password on their first login. Furthermore, if you want to force the user to use some password policy, you should do something similar to that by setting in the operating system a password policy. The same process shown above can be achieved for other operating systems. You just need to adapt the commands. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
