Feature #8617
closed
Create / Use SSH Keys so that "root password" is not emailed.
Description
Digital Ocean supports the use of SSH Keys for authentication, and should be used instead of root passwords since they email the account admin the root password on each VM creation. I believe this is done for EC2, so it should be "adaptable" :)
Updated by Tom Caspy over 9 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman-digitalocean/pull/2 added
- Pull request deleted (
)
I've tested this on my DO account and seems to work perfectly.
Do mind that this works just like EC2 - it automatically generates an ssh key for foreman to use when creating the compute resource, and saves the private key in the DB. It is unsafe to have this key on the machine, and it should be revoked by the config management, replaced by other keys, as the requirements may be.
Updated by Tommy McNeely over 9 years ago
Hmm, You have a point... I was trying to prevent the emailed root password because that is just horrible, but having the private key in the database, whether its encrypted, obfuscated, or in clear text is almost as bad. I do think that the SSH private key should be obfuscated some way in the database, but if someone steals the foreman database, and gets the SSH keys, they probably have the ability to decrypt them as well. Perhaps there should be an option to auto-remove the ssh key as part of a finish script? Obviously out of scope for this ticket.
I will have to take a look at this after work (unless Daniel has time)
Updated by Anonymous over 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset foreman-digitalocean|a6f66dc3d430ea1558080884a05f3010e9464745.