Generate a random ssh password per kluster #162
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
databus23
force-pushed
the
sshpassword
branch
3 times, most recently
from
296af41 to
9c59703
Compare
BugRoger
approved these changes
Jan 12, 2018
| bootstrapToken: {{ required "missing boostrapToken" .Values.bootstrapToken | b64enc }} | ||
| token.csv: {{ include (print $.Template.BasePath "/_token.csv.tpl") . | b64enc }} | ||
| node-password: {{ required "missing node-password" .Values.nodePassword | b64enc }} |
There was a problem hiding this comment.
Could you also update the chart version to master-1.9.0-kubernikus.1? Even though this is informational only, we can see why Kluster is using which chart version.
🐢 > helm ls 0 ↵
NAME REVISION UPDATED STATUS CHART NAMESPACE
test2-8b25871959204ff1a27605b7bcf873f7 1 Tue Jan 9 11:34:00 2018 DEPLOYED kube-master-1.9.0-kubernikus.0 kubernikus
v6-5d725ddf97664a16b011e8a8dd75772b 1 Fri Jan 12 11:36:08 2018 DEPLOYED kube-master-1.9.0-kubernikus.0 kubernikus-michi
| @@ -61,6 +63,26 @@ func (i *ignition) GenerateNode(kluster *kubernikusv1.Kluster, secret *v1.Secret | |||
| return nil, err | |||
| } | |||
|
|
|||
| //this is the old default for backwards comptibility with clusters that don't have a passwort generated | |||
| //TODO: Remove once all klusters are upgraded | |||
| passwordHash := "$6$rounds=1000000$aldshc,xbneroyw$I756LN/FtceE1deC2H.tGeSdeeelaaZWRwzmbEuO1SANf7ssyPjnbQjlW/FcMvWGUGrhF64tX9fK0abE/4oQ80" | |||
There was a problem hiding this comment.
Thats just the old password salted and hashed 1 million times with sha512. Nothing special.
| //Reason for this is we expose the resulting hash in the metadata service which is not very secure. | ||
| //It takes about 500ms on my workstation to compute this hash. So this means login to a node is also | ||
| // delayed for about a second which should be ok as this password is only meant as a last resort. | ||
| passwordHash, err = passwordCrypter.Generate(nodePassword, append([]byte("$6$rounds=1000000$"), salt...)) |
There was a problem hiding this comment.
How long and complicated is the resulting password? It often needs to be entered in the crappy VPC console without copy-paste...
There was a problem hiding this comment.
Its 12 chars and only characters and numbers. Its ok, I tested it.
| @@ -6,7 +6,7 @@ var Node_1_7 = ` | |||
| passwd: | |||
| users: | |||
| - name: core | |||
| password_hash: xyTGJkB462ewk | |||
| password_hash: {{ .LoginPassword }} | |||
| ssh_authorized_keys: | |||
| - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvFapuevZeHFpFn438XMjvEQYd0wt7+tzUdAkMiSd007Tx1h79Xm9ZziDDUe4W6meinVOq93MAS/ER27hoVWGo2H/vn/Cz5M8xr2j5rQODnrF3RmfrJTbZAWaDN0JTq2lFjmCHhZJNhr+VQP1uw4z2ofMBP6MLybnLmm9ukzxFYZqCCyfEEUTCMA9SWywtTpGQp8VLM4INCxzBSCuyt3SO6PBvJSo4HoKg/sLvmRwpCVZth48PI0EUbJ72wp88Cw3bv8CLce2TOkLMwkE6NRN55w2aOyqP1G3vixHa6YcVaLlkQhJoJsBwE3rX5603y2KjOhMomqHfXxXn/3GKTWlsQ== [email protected]" | |||
There was a problem hiding this comment.
I will with the ssh public key PR I'm working on.
SchwarzM
approved these changes
Jan 12, 2018
databus23
force-pushed
the
sshpassword
branch
4 times, most recently
from
1b16def to
2770afc
Compare
BugRoger
approved these changes
Jan 12, 2018
Instead of hardcoding a global password into the ignition template we now generate a random 12 char password for each kluster and use that in the ignition templates for the kluster nodes. Existing klusters that don’t have this are staying on the old hard coded password for now. This password is not exposed anyware at the moment. Its meant as a diagnostic backdoor during the techpreview. We can think about exposing this password to the enduser in the future. Manually tested that this actually works.
databus23
force-pushed
the
sshpassword
branch
from
afa2b05 to
9f51170
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Instead of hardcoding a global password into the ignition template we now generate a random 12 char password for each kluster and use that in the ignition templates for the kluster nodes.
Existing klusters that don’t have this are staying on the old hard coded value for now.
This password is not exposed anyware at the moment. Its meant as a diagnostic backdoor during the techpreview. We can think about exposing this password to the enduser in the future.
Manually tested that this actually works.