You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Daan Hoogland (JIRA)" <ji...@apache.org> on 2017/10/26 08:11:00 UTC

[jira] [Updated] (CLOUDSTACK-10113) password reset service on the VR, may reset passwords unintended

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-10113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daan Hoogland updated CLOUDSTACK-10113:
---------------------------------------
    Security: Public  (was: Non-Public)

> password reset service on the VR, may reset passwords unintended
> ----------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10113
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10113
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Dag Sonstebo
>            Assignee: Daan Hoogland
>         Attachments: 0001-CLOUDSTACK-10113-merge-for-passwords-to-be-cheap-not.patch
>
>
> Environment tested:
> - CloudStack 4.9.3 on CentOS7.
> - KVM on CentOS7
> - System VM template from http://packages.shapeblue.com/systemvmtemplate/4.6/new/
>  
> In summary (more details can be provided):
> When a VM password reset is requested the databag processing on the VR updates the file /etc/cloudstack/vmpassword.json:
>  
> # cat /etc/cloudstack/vmpassword.json
> {
>   "10.1.1.117": "YT42eJ",
>   "10.1.1.127": "Y34m89",
>   "10.1.1.46": "8Iyg3h",
>   "id": "vmpassword"
> }
>  
> When the VR password service starts / reloads this is loaded into the run configuration file /var/cache/cloud/passwords-10.1.1.1:
>  
> # cat var/cache/cloud/passwords-10.1.1.1
> 10.1.1.46=8Iyg3h
> 10.1.1.127=Y34m89
> 10.1.1.117=YT42eJ
>  
> Once the VM has reset the password the password in question is removed from the cache file – e.g after a password reset of 10.1.1.46 the contents are:
>  
> # cat var/cache/cloud/passwords-10.1.1.
> 10.1.1.127=Y34m89
> 10.1.1.117=YT42eJ
>  
> The service does however *not* remove the entry from /etc/cloudstack/vmpassword.json:
>  
> # cat /etc/cloudstack/vmpassword.json
> {
>   "10.1.1.117": "YT42eJ",
>   "10.1.1.127": "Y34m89",
>   "10.1.1.46": "8Iyg3h",
>   "id": "vmpassword"
> }
>  
> The user can now log in to the VM in question with the reset password, and set his own. This password reset remains persistent across reboots.
>  
> However – if another password reset for a different VM is requested, then the full content of /etc/cloudstack/vmpassword.json  is loaded back into the cache file /var/cache/cloud/passwords-10.1.1.1.
> In this example the password reset was done on VM with IP address 10.1.1.117:
>  
> # cat /etc/cloudstack/vmpassword.json
> {
>   "10.1.1.117": "aT6mVP",
>   "10.1.1.127": "Y34m89",
>   "10.1.1.46": "8Iyg3h",
>   "id": "vmpassword"
> }
>  
> # cat var/cache/cloud/passwords-10.1.1.
> 10.1.1.46=8Iyg3h
> 10.1.1.127=Y34m89
> 10.1.1.117=aT6mVP
>  
> If the first VM – 10.1.1.46 – now reboots it will have it’s manually reset password reset again by the password service due to the vmpassword.json stored password being reloaded into the cache file.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)