When the password is taken and acknowledge from the VR it should be destroyed immediately from the VR and as it is currently, I think. Are you planning to implement SSL capability as well since it as been brought on the ML recently ?
On Wed, Mar 11, 2015 at 9:39 AM, Nux! <n...@li.nux.ro> wrote: > Hi Wido, > > > >> If a guest has confirmed the password was retrieved delete it > >> straight away. I am not sure this is what you asked. :) > >> > > > > How would the guest confirm? Merely retrieving it doesn't guarantee > > that the client was able to set it. > > > > I'd say keep if for 15 minutes, so that the guest can try a couple of > > times before we expire the password. > > Nothing against keeping the password around for a few more minutes or > hours. > > Looking at this password script[1] for example, it looks like the guest > can confirm that password was successfully retrieved and set like this: > > wget -t 3 -T 20 -O - --header "DomU_Request: saved_password" > $PASSWORD_SERVER_IP:8080 > > > [1] - > https://raw.githubusercontent.com/shankerbalan/cloudstack-scripts/master/archlinux/cloudstack-set-guest-password > >
