Thanks for your response Tim. I do have our openstack environment integrated into AD. I basically am trying to see if there is a alternative to storing the password in clear text in a environment variable. With kerberos or AD are you saying that we would just get a ticket by authenticating once and then use that ticket somehow for openstack commands?
Thanks. On Wed, Mar 23, 2016 at 9:17 AM, Tim Bell <tim.b...@cern.ch> wrote: > > The difficulty with the environment variables is that the administrator of > the box you are logged into can read the environment using ps auxwwww. > > There has been some work done to support storing all the variables in a > file (which would be an environment variable) such that the CLIs read from > the file rather than needing it in the environment. This at least minimises > the access to the home directory file servers rather than the root admin on > the box you are using. > > Kerberos is very nice, if you have access to an active directory or a > local kerberos server, it’s worth a look. > > Tim > > > > On 23/03/16 16:40, "CARVER, PAUL" <pc2...@att.com> wrote: > > >Jagga Soorma wrote: > > > >>Currently when using the openstack api I have to save my password in > clear text in > >>the OS_PASSWORD environment variable. Is there a more secure way to use > the > >>openstack api without having to either store this password in clear text > or enter the > >>password manually every time I run a openstack command? Is there some > way that > >>I can use a token id? I have tried but can't seem to get it to work and > not sure what > >>else is possible. > > > >If the token will allow you to use services and you store the token in > clear text then > >you’ve only managed to rename your password to token without adding any > security. > > > >What you need to think about is what are you willing to type and when are > you willing > >to type it. I don’t know if anyone has a polished “official” > implementation, but a couple > >of options: > > > >1) Configure one of your login scripts to prompt for your OpenStack > password and > > export it rather than putting it directly in a login script. > > > >2) Encrypt your home directory and store your "clear text" password in a > file in your > > encrypted home directory > > > >3) Put your password in a file on a USB flash drive (in an encrypted file > if you want > > a double layer of security) and create a wrapper script that reads > you password > > from a fixed location on USB drive when you run a command. (keep the > USB drive > > in a physical safe when not in use) > > > > > >_______________________________________________ > >Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > >Post to : openstack@lists.openstack.org > >Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
