The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/3470
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Fixes #3448
This renames the documentation file as suggested and extends it with answers from comments.
From 8d2b5dc3d59df930526bcbb5b6501ca8f9a20110 Mon Sep 17 00:00:00 2001
From: Alberto Donato <alberto.don...@canonical.com>
Date: Fri, 30 Jun 2017 11:25:10 +0200
Subject: [PATCH] Extend/rework security-related documentation.
---
doc/api-extensions.md | 2 +-
doc/debugging.md | 2 +-
doc/{lxd-ssl-authentication.md => security.md} | 28 +++++++++++++++++++++++---
3 files changed, 27 insertions(+), 5 deletions(-)
rename doc/{lxd-ssl-authentication.md => security.md} (82%)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index a27bdd0d1..a54b4d101 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -37,7 +37,7 @@ This indicates support for PKI authentication mode.
In this mode, the client and server both must use certificates issued by the
same PKI.
-See lxd-ssl-authentication.md for details.
+See security.md for details.
## container\_last\_used\_at
A last\_used\_at field was added to the /1.0/containers/\<name\> GET endpoint.
diff --git a/doc/debugging.md b/doc/debugging.md
index 27bd20be3..6f1fbea20 100644
--- a/doc/debugging.md
+++ b/doc/debugging.md
@@ -38,7 +38,7 @@ See [rest-api.md](rest-api.md) for available API.
### REST API through HTTPS
-[HTTPS connection to LXD](lxd-ssl-authentication.md) requires valid
+[HTTPS connection to LXD](security.md) requires valid
client certificate, generated in `~/.config/lxc/client.crt` on
first `lxc remote add`. This certificate should be passed to
connection tools for authentication and encryption.
diff --git a/doc/lxd-ssl-authentication.md b/doc/security.md
similarity index 82%
rename from doc/lxd-ssl-authentication.md
rename to doc/security.md
index 70ed7bcf2..52d5bbe84 100644
--- a/doc/lxd-ssl-authentication.md
+++ b/doc/security.md
@@ -19,10 +19,13 @@ they're launched. The server will use that for all https
connections to
the LXD socket and the client will use its certificate as a client
certificate for any client-server communication.
+To cause certificates to be regenerated, simply remove the old ones, new ones
+will be created on the next connection.
+
# Adding a remote with a default setup
-In the default setup, when the user adds a new server with "lxc remote
-add", the server will be contacted over HTTPs, its certificate
-downloaded and the fingerprint will be shown to the user.
+In the default setup, when the user adds a new server with `lxc remote add`,
+the server will be contacted over HTTPs, its certificate downloaded and the
+fingerprint will be shown to the user.
The user will then be asked to confirm that this is indeed the server's
fingerprint which they can manually check by connecting to or asking
@@ -75,6 +78,13 @@ pre-generated files.
After this is done, restarting the server will have it run in PKI mode.
+# Managing trusted clients
+The list of certificates trusted by a LXD server can be obtained with `lxc
+config trust list`.
+
+To revoke trust to a client its certificate can be removed with `lxc config
+trust remove FINGERPRINT`.
+
# Password prompt
To establish a new trust relationship, a password must be set on the
server and send by the client when adding itself.
@@ -112,3 +122,15 @@ trusted.
This happens if another trusted client or the local server administrator
removed the trust entry on the server.
+
+
+# Production setup
+For production setup, it's reccomended that `core.trust_password` is unset
+after all clients have been added.
+
+This prevents brute-force attacks trying to guess the password.
+
+Also, `core.https_address` should be set to the single address where the server
+should be available (rather than any address on the host), and firewall rules
+should be set to only allow access to the LXD port from authorized
+hosts/subnets.
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
