The current design is “OK”, not great. Looking for suggestions to make it more secure. E.g.,:
* HTTPS * Client authentication Another idea might be to attach a volume to the VM with the password, but hot plug detection varies widely from OS/Hypervisor combinations. HTTP(s) is the lowest common denominator, but it has some trade-offs. From: John Kinsella <j...@stratosec.co<mailto:j...@stratosec.co>> Reply-To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Date: Tuesday, August 26, 2014 at 4:04 PM To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Subject: Re: [DISCUSS] Changing the way password reset works, or allowing the cloud-init way On Aug 26, 2014, at 1:34 PM, Erik Weber <terbol...@gmail.com<mailto:terbol...@gmail.com>> wrote: If I understand correctly, we currently deploy a web server on port 8080 on Slight correction: A processes on the VR listens on port 8080, and hands any connections to a UNIX script. Calling it a "web server" is way too kind. Also, you’re just looking at the unix use-case. The Windows agent is close sourced the last I checked. Cloud-init doesn’t feel like the best solution, as the one good thing the current setup does is remove the password from the VR after it’s fetched. Thought there was a bug filed on this, but I don’t see it?
