Andrija, Don't think like that if you run a public offering. Convenience will always win, the customer will not change the password. :)
-- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Andrija Panic" <andrija.pa...@gmail.com> > To: dev@cloudstack.apache.org > Cc: "Alireza Eskandari" <astro.alir...@yahoo.com> > Sent: Friday, 28 November, 2014 12:05:53 > Subject: Re: A secure way to reset VMs password > For me personaly, this Cloudstack feature is used only during "damn I > forgot my password" and during deploying new VM from template. > > After I get access to VM - the password should be really changed anyway. > I agree it's unsecure, but again you are supposed to change it - and not > hope that the passwrod generated by third party tool (not yourself) is safe > or not stored anywhere else... > > > On 28 November 2014 at 10:34, Jayapal Reddy Uradi < > jayapalreddy.ur...@citrix.com> wrote: > >> >> Another point to note is all the vms in production has to update >> with the new cloud-set-guest-password scripts because of the new password >> reset method. >> >> Thanks, >> Jayapal >> >> >> >> On 28-Nov-2014, at 2:28 PM, Erik Weber <terbol...@gmail.com> >> wrote: >> >> > On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari < >> > astro.alir...@yahoo.com.invalid> wrote: >> > >> >> HiI viewed the bash script that resets Linux password ( >> >> >> http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It >> >> seems that it doesn't use a secure way for transferring password string >> to >> >> instance.Instances on a shared network can sniff password requests and >> >> export requested password of other instances.I suggest to use SSL >> (https) >> >> instead of plan text.Regards >> >> >> >> >> > I like the idea, but there's a couple of obstacles to overcome, namely >> > which SSL certificates to use. >> > - certificates need a subject name, ie. IP or hostname for web pages, you >> > could solve this by making the mgmt server a CA and have each VR get a >> > signed certificate by it, but it's complicated >> > - if the community bundle a pre generated certificate it is commonly >> known >> > and not to be trusted, also not sure how to handle subject name >> > - assuming everyone to supply a valid certificate is quite complicated >> (CA >> > must be on VR etc), and makes it considerably harder to get a working >> setup >> > - using self signed causes issues with validation >> > >> > >> > Don't get me wrong, I love the idea, but it's not just to flip a switch >> and >> > have (proper) SSL in place. >> > >> > -- >> > Erik >> >> > > > -- > > Andrija Panić
