Security doubt about Windows contextualization

gbernardes · February 12, 2019, 11:46am

Hi,

I have a doubt about Windows contextualization in KVM. For contextualization works, the contextualization script make a CDROM with file context.sh, where is the parameters of context.

The problem specified is the PASSWORD option. In Linux, this option can suppressed using ssh keys, but for windows it’s mandatory, for avoid default password. And the password is there, in clear text (even if you use base64, is of easy decoding). Any user of VM can read context.sh and get context parameters, includind the password.

A simple solution it seems to me be eject CDROM after apply context options. Would this bring any problem?

What do you think about this?

kingbuffalo · February 19, 2019, 12:14am

Why not separate your users so they only have permissions to access their own machines e.g. give them a resource limit then they can deploy in their own user space as opposed to everyone sharing the same access.

gbernardes · February 20, 2019, 11:45am

Yes, I do this. But my users share your VMs with your clients, which can be a problem, if the Administrator password stored in a text file disponible in the CDROM.

I solved this for me puting this in line 778 of file c:\programfiles (x86)\opennebula\context.ps1:
(new-object -COM Shell.Application).NameSpace(17).ParseName(‘D:’).InvokeVerb(‘Eject’)

Topic		Replies	Views
Per instance contexts Community Support	4	954	August 24, 2015
Context password for vm VM Configuration / Contextualization	7	4677	May 26, 2021
Windows password ignored VM Configuration / Contextualization	1	492	March 5, 2021
Contextualization not passing password to VM Community Support	3	305	July 18, 2022
Updating the context data? Community Support	7	2201	April 22, 2016

Security doubt about Windows contextualization

Related Topics