[Fwd: options for root and password]
Is there an alternative to the root/paasword approach to managing hosts (by the engine)? Our preference would be keys/passphrase if that's possible. Thanks in advance.
----- Original Message -----
From: "Hoot Thompson" <hoot@ptpnow.com> To: users@ovirt.org Sent: Tuesday, October 21, 2014 3:52:24 AM Subject: [ovirt-users] [Fwd: options for root and password]
Is there an alternative to the root/paasword approach to managing hosts (by the engine)? Our preference would be keys/passphrase if that's possible.
IIRC we already allow that, no? In the "new host" dialog you can choose "ssh public key". Best, -- Didi
On 21/10/14 09:05, Yedidyah Bar David wrote:
----- Original Message -----
From: "Hoot Thompson" <hoot@ptpnow.com> To: users@ovirt.org Sent: Tuesday, October 21, 2014 3:52:24 AM Subject: [ovirt-users] [Fwd: options for root and password]
Is there an alternative to the root/paasword approach to managing hosts (by the engine)? Our preference would be keys/passphrase if that's possible.
IIRC we already allow that, no? In the "new host" dialog you can choose "ssh public key".
Best,
Well there is this wiki page: http://www.ovirt.org/Features/Ssh_Abilities but it is from 2013 and has this security hole: "Currently we don't enforce fingerprint validation." I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security. -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
----- Original Message -----
From: "Sven Kieske" <s.kieske@mittwald.de> To: users@ovirt.org Sent: Tuesday, October 21, 2014 10:21:17 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
On 21/10/14 09:05, Yedidyah Bar David wrote:
----- Original Message -----
From: "Hoot Thompson" <hoot@ptpnow.com> To: users@ovirt.org Sent: Tuesday, October 21, 2014 3:52:24 AM Subject: [ovirt-users] [Fwd: options for root and password]
Is there an alternative to the root/paasword approach to managing hosts (by the engine)? Our preference would be keys/passphrase if that's possible.
IIRC we already allow that, no? In the "new host" dialog you can choose "ssh public key".
Best,
Well there is this wiki page:
http://www.ovirt.org/Features/Ssh_Abilities
but it is from 2013 and has this security hole:
"Currently we don't enforce fingerprint validation."
I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security.
Please review 3.4 or 3.5, there is full enforcement per ssh fingerprint and you can view the engine public key to be installed within the "Add Host" dialog and use PK authentication.
----- Original Message -----
From: "Sven Kieske" <s.kieske@mittwald.de> To: users@ovirt.org Sent: Tuesday, October 21, 2014 10:21:17 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
On 21/10/14 09:05, Yedidyah Bar David wrote:
----- Original Message -----
From: "Hoot Thompson" <hoot@ptpnow.com> To: users@ovirt.org Sent: Tuesday, October 21, 2014 3:52:24 AM Subject: [ovirt-users] [Fwd: options for root and password]
Is there an alternative to the root/paasword approach to managing hosts (by the engine)? Our preference would be keys/passphrase if that's possible.
IIRC we already allow that, no? In the "new host" dialog you can choose "ssh public key".
Best,
Well there is this wiki page:
http://www.ovirt.org/Features/Ssh_Abilities
but it is from 2013 and has this security hole:
"Currently we don't enforce fingerprint validation."
I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security.
I agree. Not sure about the current status. Note that there are two different issues here: 1. Letting ssh using a key pair instead of a password - already done 2. verifying the fingerprint, whether input by user or saved after first login - not sure -- Didi
On 21/10/14 09:21, Sven Kieske wrote:
On 21/10/14 09:05, Yedidyah Bar David wrote:
----- Original Message -----
From: "Hoot Thompson" <hoot@ptpnow.com> To: users@ovirt.org Sent: Tuesday, October 21, 2014 3:52:24 AM Subject: [ovirt-users] [Fwd: options for root and password]
Is there an alternative to the root/paasword approach to managing hosts (by the engine)? Our preference would be keys/passphrase if that's possible.
IIRC we already allow that, no? In the "new host" dialog you can choose "ssh public key".
Best,
Well there is this wiki page:
http://www.ovirt.org/Features/Ssh_Abilities
but it is from 2013 and has this security hole:
"Currently we don't enforce fingerprint validation."
I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security.
I found this: http://www.ovirt.org/OVirt_Administration_Guide#Host_Tasks "Select an authentication method to use with the host. 1. Enter the root user's password to use password authentication. 2. Copy the key displayed in the SSH PublicKey field to /root/.ssh/authorized_keys on the host to use public key authentication." I guess this just works from version 3.4 upwards or also for 3.3.? if for 3.3. since which z stream release? -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
----- Original Message -----
From: "Sven Kieske" <s.kieske@mittwald.de> To: users@ovirt.org Sent: Tuesday, October 21, 2014 10:30:34 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
On 21/10/14 09:21, Sven Kieske wrote:
On 21/10/14 09:05, Yedidyah Bar David wrote:
----- Original Message -----
From: "Hoot Thompson" <hoot@ptpnow.com> To: users@ovirt.org Sent: Tuesday, October 21, 2014 3:52:24 AM Subject: [ovirt-users] [Fwd: options for root and password]
Is there an alternative to the root/paasword approach to managing hosts (by the engine)? Our preference would be keys/passphrase if that's possible.
IIRC we already allow that, no? In the "new host" dialog you can choose "ssh public key".
Best,
Well there is this wiki page:
http://www.ovirt.org/Features/Ssh_Abilities
but it is from 2013 and has this security hole:
"Currently we don't enforce fingerprint validation."
I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security.
I found this:
http://www.ovirt.org/OVirt_Administration_Guide#Host_Tasks
"Select an authentication method to use with the host.
1. Enter the root user's password to use password authentication. 2. Copy the key displayed in the SSH PublicKey field to /root/.ssh/authorized_keys on the host to use public key authentication."
I guess this just works from version 3.4 upwards or also for 3.3.? if for 3.3. since which z stream release?
As far as I remember it is since 3.4.
On 21/10/14 09:21, Sven Kieske wrote:
I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security.
It just turns out this already works in ovirt 3.3.2 maybe even earlier, but I would like to know if the point about host key validation on the mentioned wiki page is still true, as I think this would be cve-worthy. -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
----- Original Message -----
From: "Sven Kieske" <s.kieske@mittwald.de> To: users@ovirt.org Sent: Tuesday, October 21, 2014 10:40:39 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
On 21/10/14 09:21, Sven Kieske wrote:
I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security.
It just turns out this already works in ovirt 3.3.2 maybe even earlier, but I would like to know if the point about host key validation on the mentioned wiki page is still true, as I think this would be cve-worthy.
When host is added its ssh fingerprint is recorded in database, and is enforced from this point on. Only at Edit Host dialog it can be modified. You can also pre-fetch the fingerprint before adding the host at Add Host dialog in order to confirm that it is the correct host, it will add this fingerprint to database and enforce it when adding the host too.
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Sven Kieske" <s.kieske@mittwald.de> Cc: users@ovirt.org Sent: Tuesday, October 21, 2014 10:49:02 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
----- Original Message -----
From: "Sven Kieske" <s.kieske@mittwald.de> To: users@ovirt.org Sent: Tuesday, October 21, 2014 10:40:39 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
On 21/10/14 09:21, Sven Kieske wrote:
I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security.
It just turns out this already works in ovirt 3.3.2 maybe even earlier, but I would like to know if the point about host key validation on the mentioned wiki page is still true, as I think this would be cve-worthy.
When host is added its ssh fingerprint is recorded in database, and is enforced from this point on. Only at Edit Host dialog it can be modified. You can also pre-fetch the fingerprint before adding the host at Add Host dialog in order to confirm that it is the correct host, it will add this fingerprint to database and enforce it when adding the host too.
CC'ing Yaniv Bronheim who was the feature owner for ssh fingerprint usage during host addition. I guess Yaniv can confirm exactly which version it was added.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (5)
-
Alon Bar-Lev -
Hoot Thompson -
Sven Kieske -
Yair Zaslavsky -
Yedidyah Bar David