Security doubt about Windows contextualization

gbernardes · February 12, 2019, 11:46am

Hi,

I have a doubt about Windows contextualization in KVM. For contextualization works, the contextualization script make a CDROM with file context.sh, where is the parameters of context.

The problem specified is the PASSWORD option. In Linux, this option can suppressed using ssh keys, but for windows it’s mandatory, for avoid default password. And the password is there, in clear text (even if you use base64, is of easy decoding). Any user of VM can read context.sh and get context parameters, includind the password.

A simple solution it seems to me be eject CDROM after apply context options. Would this bring any problem?

What do you think about this?

kingbuffalo · February 19, 2019, 12:14am

Why not separate your users so they only have permissions to access their own machines e.g. give them a resource limit then they can deploy in their own user space as opposed to everyone sharing the same access.

gbernardes · February 20, 2019, 11:45am

Yes, I do this. But my users share your VMs with your clients, which can be a problem, if the Administrator password stored in a text file disponible in the CDROM.

I solved this for me puting this in line 778 of file c:\programfiles (x86)\opennebula\context.ps1:
(new-object -COM Shell.Application).NameSpace(17).ParseName(‘D:’).InvokeVerb(‘Eject’)

Topic		Replies	Views
Per instance contexts Community Support	4	990	August 24, 2015
Context password for vm VM Configuration / Contextualization	7	5095	May 26, 2021
Windows password ignored VM Configuration / Contextualization	1	549	March 5, 2021
vCenter Windows Contextualization fails - "No Context CDROM found" Community Support	1	657	August 1, 2017
Contextualization not passing password to VM Community Support	3	395	July 18, 2022

Security doubt about Windows contextualization

Related topics