For me personaly, this Cloudstack feature is used only during "damn I forgot my password" and during deploying new VM from template.
After I get access to VM - the password should be really changed anyway. I agree it's unsecure, but again you are supposed to change it - and not hope that the passwrod generated by third party tool (not yourself) is safe or not stored anywhere else... On 28 November 2014 at 10:34, Jayapal Reddy Uradi < jayapalreddy.ur...@citrix.com> wrote: > > Another point to note is all the vms in production has to update > with the new cloud-set-guest-password scripts because of the new password > reset method. > > Thanks, > Jayapal > > > > On 28-Nov-2014, at 2:28 PM, Erik Weber <terbol...@gmail.com> > wrote: > > > On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari < > > astro.alir...@yahoo.com.invalid> wrote: > > > >> HiI viewed the bash script that resets Linux password ( > >> > http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It > >> seems that it doesn't use a secure way for transferring password string > to > >> instance.Instances on a shared network can sniff password requests and > >> export requested password of other instances.I suggest to use SSL > (https) > >> instead of plan text.Regards > >> > >> > > I like the idea, but there's a couple of obstacles to overcome, namely > > which SSL certificates to use. > > - certificates need a subject name, ie. IP or hostname for web pages, you > > could solve this by making the mgmt server a CA and have each VR get a > > signed certificate by it, but it's complicated > > - if the community bundle a pre generated certificate it is commonly > known > > and not to be trusted, also not sure how to handle subject name > > - assuming everyone to supply a valid certificate is quite complicated > (CA > > must be on VR etc), and makes it considerably harder to get a working > setup > > - using self signed causes issues with validation > > > > > > Don't get me wrong, I love the idea, but it's not just to flip a switch > and > > have (proper) SSL in place. > > > > -- > > Erik > > -- Andrija Panić
