[
https://issues.apache.org/jira/browse/CLOUDSTACK-2534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13735396#comment-13735396
]
frank zhang commented on CLOUDSTACK-2534:
-----------------------------------------
This is invalid bug.
/usr/share/cloudstack-common/scripts/vm/systemvm/id_rsa.cloud is here for
historically reason but we never use it to login to SSVM/VR.
the correct key is at /var/cloudstack/management/.ssh/id_rsa which is home
directory of user cloud.
let's remove the /usr/share/cloudstack-common/scripts/vm/systemvm/id_rsa.cloud
at next release as it's quite confusing.
> Packaging puts SSH private keys as public readable on management server
> -----------------------------------------------------------------------
>
> Key: CLOUDSTACK-2534
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2534
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Packaging
> Reporter: Girish Shilamkar
> Assignee: Rayees Namathponnan
> Priority: Critical
> Labels: security
> Fix For: 4.2.0
>
>
> SSH public key is group readable which is security threat.
> ls -la /usr/share/cloudstack-common/scripts/vm/systemvm/id_rsa.cloud
> -rw-r--r--. 1 root root 1670 May 15 22:54
> /usr/share/cloudstack-common/scripts/vm/systemvm/id_rsa.cloud
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
