Yes. this has already been discussed in the security mailing list. However,
we already have a similar feature if you use SSH keys.
If we want real security we would have to use a key of the user to encrypt
the password stored in the VR, and then inject in the VM. Threfore, it
seems more naturel (IMO) to use SSH keys directly. Then, if the user wants
to enable password login, he/she can do so.
On Tue, Nov 28, 2017 at 10:18 AM, Vladimir Melnik <v.mel...@uplink.ua>
wrote:
> Aye, should be cool to have them encrypted by some RSA-key that would be
> installed to the VM's template.
>
> Though at this moment one should keep an eye on the systems where these
> logs are stored.
>
> On Tue, Nov 28, 2017 at 03:39:55PM +0530, Makrand wrote:
> > Assuming all the passwords appearing in logs must be masked (kind of
> > encrypted) How does one decrypt those password from logs?
> >
> > BTW, if passwords are just logged as plain text (even for temp amount of
> > time), or stored as plain text over VR, then that's not a very secure
> > thing, is it??
> >
> > --
> > Makrand
> >
> >
> > On Tue, Nov 28, 2017 at 2:58 PM, Vladimir Melnik <v.mel...@uplink.ua>
> wrote:
> >
> > > Hello,
> > >
> > > Would you mind if I share a sample line from the log-file containing a
> > > password assigned (you can find similar ones in your log-files as
> well)?
> > >
> > > 2017-11-28 10:19:27,981 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
> > > (API-Job-Executor-14:ctx-6858662d job-1158151 ctx-1967e9d7)
> > > (logid:eed0e79e) Complete async job-1158151, jobStatus: SUCCEEDED,
> > > resultCode: 0, result: org.apache.cloudstack.api.resp
> > > onse.UserVmResponse/virtualmachine/{"id":"57ec4f9a-9f65-
> > > 46c5-926d-a475bbe5c1d5","name":"VM-57ec4f9a-9f65-46c5-926d-a
> > > 475bbe5c1d5","displayname":"VM-57ec4f9a-9f65-46c5-926d-a475b
> > > be5c1d5","account":"admin","userid":"b11c5858-5357-497d-
> > > 93e7-f68db82535e7","username":"admin","domainid":"4d767ff4-
> > > 8216-4718-8f04-4626eeb5180f","domain":"2017102413000103","
> > > created":"2017-10-27T10:57:11+0300","state":"Stopped","
> > > haenable":false,"zoneid":"c8d773fa-76ca-4637-8ecf-
> > > 88656444fc86","zonename":"z2.tucha13.net","templateid":"
> > > 3b4b2504-9718-407e-8cf2-cdd286a90e52","templatename":"
> > > linux-ubuntu-desktop-16.04-x64-20170819","templatedisplaytext":"Linux
> > > Ubuntu 16.04 x64 Desktop version (rev.20170819)","passwordenabl
> > > ed":true,"serviceofferingid":"5248afa9-f896-4608-bf3b-
> > > 316262c21b9d","serviceofferingname":"custom-ssd-a1","
> > > cpunumber":1,"cpuspeed":2399,"memory":1024,"cpuused":"0.07%"
> > > ,"networkkbsread":417369,"networkkbswrite":58495,"diskkbsrea
> > > d":360776,"diskkbswrite":1978872,"memorykbs":1048576,"m
> > > emoryintfreekbs":1112364,"memorytargetkbs":1048576,"diskiore
> > > ad":11950,"diskiowrite":149126,"guestosid":"ca0edf48-
> > > bd31-11e6-b74f-06973a00088a","rootdeviceid":0,"rootdevicetyp
> > > e":"ROOT","securitygroup":[],"password":"*************","
> > > nic":[{"id":"677447a3-de67-4477-b3fc-213ab12bf0d6","
> > > networkid":"1093f687-0581-4c63-9077-1471a8bfe7fd","
> > > networkname":"NET-PUB-193.151.666.666-24","netmask":"255.
> > > 255.255.0","gateway":"193.151.666.666","ipaddress":"193.151.
> > > 666.666","isolationuri":"vlan://100","broadcasturi":"vlan://
> > > 100","traffictype":"Guest","type":"Shared","isdefault":
> > > true,"macaddress":"66:66:66:66:66:66","secondaryip":[]},{"
> > > id":"3f71910e-cfe5-4d61-b725-e78e1d434cd8","networkid":"3422
> > > bda5-f206-4418-8a8a-30372a4f1e4a","networkname":"NET-
> > > 2017102413000103","netmask":"255.255.255.0","gateway":"192.
> > > 168.131.254","ipaddress":"192.168.131.154","traffictype":"
> > > Guest","type":"Isolated","isdefault":false,"macaddress":
> > > "66:66:66:66:66:66","secondaryip":[]}],"hypervisor"
> > > :"KVM","instancename":"i-6666-6666-VM","affinitygroup":[],"d
> > > isplayvm":true,"isdynamicallyscalable":false,"ostypeid":254,"tags":[]}
> > >
> > > ^^^ That doesn't seem to be cloudmonkey who adds that to the management
> > > log-file, as we don't use it at all.
> > >
> > > But there's a dilemma that needs to be solved, as "fixing" that would
> mean
> > > that a content-neutral logging module should understand which
> information
> > > is confidential and shouldn't been logged, not such an easy task to be
> > > solved properly.
> > >
> > > With best,
> > > Vlad
> > >
> > >
> > >
> > > On Mon, Nov 27, 2017 at 05:02:00PM -0200, Rafael Weingärtner wrote:
> > > > Ah, thanks Daan ;)
> > > >
> > > > On Mon, Nov 27, 2017 at 4:27 PM, Daan Hoogland <
> daan.hoogl...@gmail.com>
> > > > wrote:
> > > >
> > > > > it isn't logged, Rafael, not by cloudstack. It is cloudmonkey that
> > > logs the
> > > > > API response object. It is the same response the UI uses to
> display it
> > > to
> > > > > the user.
> > > > >
> > > > > On Mon, Nov 27, 2017 at 3:45 PM, Rafael Weingärtner <
> > > > > rafaelweingart...@gmail.com> wrote:
> > > > >
> > > > > > Interesting! I did not know that the password was logged. I
> thought
> > > it
> > > > > was
> > > > > > a one time thing to show the password in the UI.
> > > > > >
> > > > > > On Mon, Nov 27, 2017 at 1:43 PM, Nux! <n...@li.nux.ro> wrote:
> > > > > >
> > > > > > > Ok, so found out some more stuff.
> > > > > > >
> > > > > > > First of all, the password appears in management-server.log and
> > > > > > > apilog.log, so that's one place to grep into.
> > > > > > >
> > > > > > > Second, I could query the jobid and get the password from
> there.
> > > E.g.
> > > > > > from
> > > > > > > cloudmonkey
> > > > > > > query asyncjobresult jobid=caac0e1f-0aff-4065-8189-1d32d480e73f
> |
> > > grep
> > > > > > > password\ =
> > > > > > >
> > > > > > > More info here
> > > > > > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/
> > > > > > > CloudStack+cloudmonkey+CLI#CloudStackcloudmonkeyCLI-AsyncJob
> > > execution
> > > > > > >
> > > > > > > --
> > > > > > > Sent from the Delta quadrant using Borg technology!
> > > > > > >
> > > > > > > Nux!
> > > > > > > www.nux.ro
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Rafael Weingärtner" <rafaelweingart...@gmail.com>
> > > > > > > > To: "users" <users@cloudstack.apache.org>
> > > > > > > > Sent: Monday, 27 November, 2017 15:21:30
> > > > > > > > Subject: Re: Where is the vm root password published?
> > > > > > >
> > > > > > > > Ah, if that is the case, I know it is stored in the VR of the
> > > network
> > > > > > > where
> > > > > > > > the VM is connected to.
> > > > > > > >
> > > > > > > > I forgot now the file, but it is something like
> > > > > “/var/usr?/cloud/cache”
> > > > > > > or
> > > > > > > > something that ends in “/cache/cloud”.
> > > > > > > >
> > > > > > > >
> > > > > > > > Do we store these password in ACS database as well?
> > > > > > > >
> > > > > > > > On Mon, Nov 27, 2017 at 1:18 PM, Nux! <n...@li.nux.ro> wrote:
> > > > > > > >
> > > > > > > >> Rafael,
> > > > > > > >>
> > > > > > > >> Yes indeed, sorry if I wasn't clear.
> > > > > > > >>
> > > > > > > >> --
> > > > > > > >> Sent from the Delta quadrant using Borg technology!
> > > > > > > >>
> > > > > > > >> Nux!
> > > > > > > >> www.nux.ro
> > > > > > > >>
> > > > > > > >> ----- Original Message -----
> > > > > > > >> > From: "Rafael Weingärtner" <rafaelweingart...@gmail.com>
> > > > > > > >> > To: "users" <users@cloudstack.apache.org>
> > > > > > > >> > Sent: Monday, 27 November, 2017 14:58:20
> > > > > > > >> > Subject: Re: Where is the vm root password published?
> > > > > > > >>
> > > > > > > >> > Are you talking about the generated passwords to be
> injected
> > > in
> > > > > user
> > > > > > > vms?
> > > > > > > >> > Besides that, we do not have any other password. At least
> > > that I
> > > > > > know.
> > > > > > > >> >
> > > > > > > >> > On Mon, Nov 27, 2017 at 12:56 PM, Nux! <n...@li.nux.ro>
> wrote:
> > > > > > > >> >
> > > > > > > >> >> No, I mean the regular user VM instances.
> > > > > > > >> >> I know they are held somewhere temporarily, just don't
> know
> > > > > where.
> > > > > > :)
> > > > > > > >> >>
> > > > > > > >> >> --
> > > > > > > >> >> Sent from the Delta quadrant using Borg technology!
> > > > > > > >> >>
> > > > > > > >> >> Nux!
> > > > > > > >> >> www.nux.ro
> > > > > > > >> >>
> > > > > > > >> >> ----- Original Message -----
> > > > > > > >> >> > From: "Rafael Weingärtner" <
> rafaelweingart...@gmail.com>
> > > > > > > >> >> > To: "users" <users@cloudstack.apache.org>
> > > > > > > >> >> > Sent: Monday, 27 November, 2017 12:26:59
> > > > > > > >> >> > Subject: Re: Where is the vm root password published?
> > > > > > > >> >>
> > > > > > > >> >> > If you are talking about the system VMs password.
> > > > > > > >> >> > If you set the parameter "system.vm.random.password" to
> > > "true",
> > > > > > > then
> > > > > > > >> you
> > > > > > > >> >> > can see the password at "system.vm.password"
> > > > > > > >> >> >
> > > > > > > >> >> > On Mon, Nov 27, 2017 at 10:24 AM, Nux! <n...@li.nux.ro>
> > > wrote:
> > > > > > > >> >> >
> > > > > > > >> >> >> Hello,
> > > > > > > >> >> >>
> > > > > > > >> >> >> I know that the vm root password is temporarily stored
> > > > > somewhere
> > > > > > > in
> > > > > > > >> the
> > > > > > > >> >> >> system. I need to find it out for accessing the
> console of
> > > > > some
> > > > > > > >> >> instances
> > > > > > > >> >> >> created programmatically.
> > > > > > > >> >> >> Where do I look?
> > > > > > > >> >> >>
> > > > > > > >> >> >> Cheers,
> > > > > > > >> >> >> Lucian
> > > > > > > >> >> >>
> > > > > > > >> >> >> --
> > > > > > > >> >> >> Sent from the Delta quadrant using Borg technology!
> > > > > > > >> >> >>
> > > > > > > >> >> >> Nux!
> > > > > > > >> >> >> www.nux.ro
> > > > > > > >> >> >>
> > > > > > > >> >> >
> > > > > > > >> >> >
> > > > > > > >> >> >
> > > > > > > >> >> > --
> > > > > > > >> >> > Rafael Weingärtner
> > > > > > > >> >>
> > > > > > > >> >
> > > > > > > >> >
> > > > > > > >> >
> > > > > > > >> > --
> > > > > > > >> > Rafael Weingärtner
> > > > > > > >>
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Rafael Weingärtner
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Rafael Weingärtner
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Daan
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rafael Weingärtner
> > >
> > > --
> > > V.Melnik
> > >
>
> --
> V.Melnik
>
--
Rafael Weingärtner
