[ https://issues.apache.org/jira/browse/CLOUDSTACK-10141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16331958#comment-16331958 ]
Rohit Yadav commented on CLOUDSTACK-10141: ------------------------------------------ Kristian - I think, there is no credential leak. Yes, agree stale password/ssh public key may be available to new VMs that have the IP of a old/destroy VM. However, if the new VM (from a ssh/password enabled template) is indeed password or SSH enabled, during provisioning the user/account specific ssh key and new password will be stored in the VR. So I don't think it's a security issue but a GC issue perhaps. I think the solution could be to rid of ssh public key and passwords when VM is destroyed/removed? > no password with instance creation > ----------------------------------- > > Key: CLOUDSTACK-10141 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10141 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Virtual Router > Affects Versions: 4.9.0, 4.10.0.0 > Environment: 2 x Xenserver 7.0 pool. ACSv 4.10, system vms 4.10 > Reporter: Kristian Liivak > Priority: Major > Labels: patch > > With instance creation password is not created > I performed several tests with macchinina template. > Before that i restarted network with clean up option eg new VR was created. > But result are: VR password file is not modified after instance creation. > File is not created when i first time created instance. > Shutdown instance and reset password only created VR password file and it > contains correct entry > I have only one network present. its one big /24 shared network for all vms. > Also ipv6 is present. Cloudmonkey list network output is also added below. > My log is here:; ips are changed with aaa.bbb.ccc > Restarted netowrk with option cleanup. logged in to VR > root@r-377-VM :/ var/cache/cloud# ls -lah > total 36K > drwxr-xr-x 3 root root 4.0K Nov 13 14:35 . > drwxr-xr-x 10 root root 4.0K Nov 13 14:29 .. > -rw-r--r-- 1 root root 29 Nov 13 14:29 boot_up_done > -rw-r--r-- 1 root root 33 Nov 13 14:28 cloud-scripts-signature > -rw-r--r-- 1 root root 754 Nov 13 14:29 cmdline > -rw-r--r-- 1 root root 33 Nov 13 14:29 disabled_svcs > -rw-r--r-- 1 root root 2 Nov 13 14:29 dnsmasq_managed_lease > -rw-r--r-- 1 root root 38 Nov 13 14:29 enabled_svcs > drwxr-xr-x 2 root root 4.0K Nov 13 14:35 processed > Created new instance and get gui password "Password of new VM Macchinina1 is > EJ4cQ2" > Nothing changed in files /var/cache/cloud > Shutdown instance and reset succesfully password in gui"Password has been > reset to dt8sNZ" > Now i have correct file created in VR and it contains correct password > root@r-377-VM :/ var/cache/cloud# ls -lah > total 40K > drwxr-xr-x 3 root root 4.0K Nov 13 14:37 . > drwxr-xr-x 10 root root 4.0K Nov 13 14:29 .. > -rw-r--r-- 1 root root 29 Nov 13 14:29 boot_up_done > -rw-r--r-- 1 root root 33 Nov 13 14:28 cloud-scripts-signature > -rw-r--r-- 1 root root 754 Nov 13 14:29 cmdline > -rw-r--r-- 1 root root 33 Nov 13 14:29 disabled_svcs > -rw-r--r-- 1 root root 2 Nov 13 14:29 dnsmasq_managed_lease > -rw-r--r-- 1 root root 38 Nov 13 14:29 enabled_svcs > -rw-r--r-- 1 root root 21 Nov 13 14:37 passwords-aaa.bbb.ccc.2 > drwxr-xr-x 2 root root 4.0K Nov 13 14:37 processed > root@r-377-VM :/ var/cache/cloud# more passwords-aaa.bbb.ccc.2 > aaa.bbb.ccc.196=dt8sNZ > Powered up instance and tailed VR password file > root@r-377-VM :/ var/cache/cloud# tail -f passwords-aaa.bbb.ccc.2 > aaa.bbb.ccc.196=dt8sNZ > tail: passwords-aaa.bbb.ccc.2: file truncated > Vm have correct password. And VR password file is empty > Next try with new instance. created. Password of new VM Macchinina2 is > U8jBqC,, tailed VR password file. No changes at all.. > Stopped new instance. resetted password "Password has been reset to Y9mwzN" > root@r-377-VM :/ var/cache/cloud# tail -f passwords-aaa.bbb.ccc.2 > aaa.bbb.ccc.196=dt8sNZ > aaa.bbb.ccc.169=Y9mwzN > New password is there. > tail: passwords-aaa.bbb.ccc.2: file truncated > aaa.bbb.ccc.196=dt8sNZ > Vm started. password is changed . VR password file entry is removed > Conclusion : with instance creation no password is provided. With password > reset everything is ok. I noticed issue allready ACSv 4.9, system vms 4.6 . > After upgade nothing changed. -- This message was sent by Atlassian JIRA (v7.6.3#76005)