Feature #8617
closed
Create / Use SSH Keys so that "root password" is not emailed.
Added by Tommy McNeely over 10 years ago.
Updated over 10 years ago.
Description
Digital Ocean supports the use of SSH Keys for authentication, and should be used instead of root passwords since they email the account admin the root password on each VM creation. I believe this is done for EC2, so it should be "adaptable" :)
- Assignee set to Tom Caspy
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman-digitalocean/pull/2 added
- Pull request deleted (
I've tested this on my DO account and seems to work perfectly.
Do mind that this works just like EC2 - it automatically generates an ssh key for foreman to use when creating the compute resource, and saves the private key in the DB. It is unsafe to have this key on the machine, and it should be revoked by the config management, replaced by other keys, as the requirements may be.
Hmm, You have a point... I was trying to prevent the emailed root password because that is just horrible, but having the private key in the database, whether its encrypted, obfuscated, or in clear text is almost as bad. I do think that the SSH private key should be obfuscated some way in the database, but if someone steals the foreman database, and gets the SSH keys, they probably have the ability to decrypt them as well. Perhaps there should be an option to auto-remove the ssh key as part of a finish script? Obviously out of scope for this ticket.
I will have to take a look at this after work (unless Daniel has time)
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Anonymous