Docs recommend insecure configuration option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
High
|
Nathan Kinder | ||
openstack-manuals |
Fix Released
|
Critical
|
Anne Gentle |
Bug Description
From Daniel Berrange:
---------
I just came across the following docs for configuring migration with
nova+libvirt+kvm
http://
http://
At point 7 the docs say
7. Update the libvirt configurations. Modify the /etc/libvirt/
before : #listen_tls = 0
after : listen_tls = 0
before : #listen_tcp = 1
after : listen_tcp = 1
add: auth_tcp = "none"
Modify the /etc/init/
before : exec /usr/sbin/libvirtd -d
after : exec /usr/sbin/libvirtd -d -l
What this does is tell the libvirt daemon listen for client TCP connections
on all network interfaces, and accept any clients performing absolutely
zero authentication.
Sure this works for migration, but it also allows anyone of the network
to be able to completely own all your compute hosts, by invoking whatever
libvirt API calls they like.
This is equivalent to telling someone to configure SSH to allow root
logins with no passwords or keys at all. Actually it is worse because
as well as killing authentication, it kills any encryption too.
Libvirt has a choice of 4 secure options for remote access over TCP
- SSH tunnel to libvirtd's UNIX socket
- libvirtd TCP socket, with GSSAPI/Kerberos for auth+data encryption
- libvirtd TCP socket, with TLS for encryption and x509 client
certs for authentication
- libvirtd TCP socket, with TLS for encryption and Kerberos for
authentication
documenting any of these setups would be better than what's there
now, which needs to be removed asap.
I don't know whether these docs are the current supported / preferred
docs for this - they're just what I found via google. If we have other
docs covering migration setup, they should be checked too.
----------------
Changed in ossa: | |
status: | New → Incomplete |
Changed in ossn: | |
assignee: | nobody → Nathan Kinder (nkinder) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in openstack-manuals: | |
importance: | Undecided → Critical |
information type: | Public Security → Public |
Changed in openstack-manuals: | |
status: | New → Fix Released |
assignee: | nobody → Anne Gentle (annegentle) |
Changed in openstack-manuals: | |
status: | Fix Released → In Progress |
This is not something that gets fixed by upgrading, so not OSSA territory. I would very much like to see an OSSN about this though.
I would also argue that making this public ASAP would help more than it hurts.