Hi, I've sent a pull request that replaces the bash/socat based password server with a Python based server that is backward compatible. In future I'll be working on an VR-agents framework to make resetting password/publickeys more secure.
Right now when reset password is called, the password server is sent over HTTP (unencrypted) and does not expiry until the user VM sends an acknowledgement back to the VR. JIRA: https://issues.apache.org/jira/browse/CLOUDSTACK-8272 PR: https://github.com/apache/cloudstack/pull/106 I need your comment on the following proposal: 1. If a password has been served by the password server, we expire it within next 15 minutes (or suggest other values) if acknowledgement is not received. 2. If a password is not served by the password server in next 1-24 hours (because the VM was in stopped state and was never started to receive new password and send ack to remove it from VR) it gets expired. What should be a good enough time period, 1 hour? 4 hours? 1 day? Regards, Rohit Yadav Software Architect, ShapeBlue M. +91 8826230892 | rohit.ya...@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab PS. If you see any footer below, I did not add it :) Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
