SSL - maybe we could use the same SSL cert used for the CP and secure download? Feels a little sketchy at first thought but might be an improvement...
John On Aug 26, 2014, at 5:51 PM, Chiradeep Vittal <chiradeep.vit...@citrix.com> wrote: > The current design is “OK”, not great. Looking for suggestions to make it > more secure. E.g.,: > > * HTTPS > * Client authentication > > Another idea might be to attach a volume to the VM with the password, but hot > plug detection varies widely from OS/Hypervisor combinations. > HTTP(s) is the lowest common denominator, but it has some trade-offs. > > From: John Kinsella <j...@stratosec.co<mailto:j...@stratosec.co>> > Reply-To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" > <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> > Date: Tuesday, August 26, 2014 at 4:04 PM > To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" > <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> > Subject: Re: [DISCUSS] Changing the way password reset works, or allowing the > cloud-init way > > > On Aug 26, 2014, at 1:34 PM, Erik Weber > <terbol...@gmail.com<mailto:terbol...@gmail.com>> wrote: > If I understand correctly, we currently deploy a web server on port 8080 on > > Slight correction: A processes on the VR listens on port 8080, and hands any > connections to a UNIX script. Calling it a "web server" is way too kind. > > Also, you’re just looking at the unix use-case. The Windows agent is close > sourced the last I checked. > > Cloud-init doesn’t feel like the best solution, as the one good thing the > current setup does is remove the password from the VR after it’s fetched. > > Thought there was a bug filed on this, but I don’t see it? > >
