One mode of authentication for an instance is the use of a password. For example, to log in to a Windows instance, users must begin a session via RDP and provide an administrator login and a password. If this password was not supplied on the command line, it can be generated by the instance itself (for example, if it uses cloudbase-init).
Before launching an instance, the user can specify an SSH public key, including for Windows instances. If the password is generated by the instance, it is encrypted with this public key before being sent to the OpenStack metadata server.
Until now, to retrieve a password, the user had to:
where private_key.pem is the private key used to decrypt the password.
For a user based exclusively on Windows, this process is quite longwinded, particularly the filling in of the environment variables one at a time in the advanced system parameters and for the use of the Windows terminal. This is to simplify the password retrieval as much as possible process that Cloudwatt has submitted a blueprint for Horizon. It has been implemented by Ala Rezmerita and is now available in Icehouse.
This new function can be activated adding the following line:
OPENSTACK_ENABLE_PASSWORD_RETRIEVE = True
After having booted an instance, the user will find a new “retrieve password” link:
This link opens the following modal:
The user can then enter their private key and decrypt the password.
The decryption happens client-side, in the user’s browser. This means that the private key is never sent to the cloud administrator.
The user can now login:
Thus, the user only needed his browsers to retrieve their passwords.
We are continually improving the user experience on Windows. For example, we have submitted a blueprint which proposes a link to download a .rdp configuration file. Users simply double-click this file to open the RDP connection window which is preconfigured with the right IP address and login. This is currently being implemented.