You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Daan Hoogland (JIRA)" <ji...@apache.org> on 2017/10/26 08:11:00 UTC
[jira] [Updated] (CLOUDSTACK-10113) password reset service on the
VR, may reset passwords unintended
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daan Hoogland updated CLOUDSTACK-10113:
---------------------------------------
Security: Public (was: Non-Public)
> password reset service on the VR, may reset passwords unintended
> ----------------------------------------------------------------
>
> Key: CLOUDSTACK-10113
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10113
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Reporter: Dag Sonstebo
> Assignee: Daan Hoogland
> Attachments: 0001-CLOUDSTACK-10113-merge-for-passwords-to-be-cheap-not.patch
>
>
> Environment tested:
> - CloudStack 4.9.3 on CentOS7.
> - KVM on CentOS7
> - System VM template from http://packages.shapeblue.com/systemvmtemplate/4.6/new/
>
> In summary (more details can be provided):
> When a VM password reset is requested the databag processing on the VR updates the file /etc/cloudstack/vmpassword.json:
>
> # cat /etc/cloudstack/vmpassword.json
> {
> "10.1.1.117": "YT42eJ",
> "10.1.1.127": "Y34m89",
> "10.1.1.46": "8Iyg3h",
> "id": "vmpassword"
> }
>
> When the VR password service starts / reloads this is loaded into the run configuration file /var/cache/cloud/passwords-10.1.1.1:
>
> # cat var/cache/cloud/passwords-10.1.1.1
> 10.1.1.46=8Iyg3h
> 10.1.1.127=Y34m89
> 10.1.1.117=YT42eJ
>
> Once the VM has reset the password the password in question is removed from the cache file – e.g after a password reset of 10.1.1.46 the contents are:
>
> # cat var/cache/cloud/passwords-10.1.1.
> 10.1.1.127=Y34m89
> 10.1.1.117=YT42eJ
>
> The service does however *not* remove the entry from /etc/cloudstack/vmpassword.json:
>
> # cat /etc/cloudstack/vmpassword.json
> {
> "10.1.1.117": "YT42eJ",
> "10.1.1.127": "Y34m89",
> "10.1.1.46": "8Iyg3h",
> "id": "vmpassword"
> }
>
> The user can now log in to the VM in question with the reset password, and set his own. This password reset remains persistent across reboots.
>
> However – if another password reset for a different VM is requested, then the full content of /etc/cloudstack/vmpassword.json is loaded back into the cache file /var/cache/cloud/passwords-10.1.1.1.
> In this example the password reset was done on VM with IP address 10.1.1.117:
>
> # cat /etc/cloudstack/vmpassword.json
> {
> "10.1.1.117": "aT6mVP",
> "10.1.1.127": "Y34m89",
> "10.1.1.46": "8Iyg3h",
> "id": "vmpassword"
> }
>
> # cat var/cache/cloud/passwords-10.1.1.
> 10.1.1.46=8Iyg3h
> 10.1.1.127=Y34m89
> 10.1.1.117=aT6mVP
>
> If the first VM – 10.1.1.46 – now reboots it will have it’s manually reset password reset again by the password service due to the vmpassword.json stored password being reloaded into the cache file.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)