Daan, For us and i guess for many others public cloud and vps providers its very big hole. Imagine that 10-20 chinese guys have made fraud orders and 10-20 vps are provisioned. We dealing with fradulent orders daily basis. Some time later abusers will get catch in the act and vpses will be terminated. If your customer increase is considerable, most probably one or more ips will be given to new customers during same day. Newly created instances get then abusers keys and root passwords. If new instance uses only keys, root password will be never changed. Abusers need just log in with them old passwords and bitcoin mining or spamming will be started again. Some of smarter customers are able to connect dots and serviceprovider reputation will be damaged seriously.
Lugupidamisega / Regards Kristian Liivak Tegevjuht / Executive director WaveCom As Endla 16, 10142 Tallinn Estonia Tel: +3726850001 Gsm: +37256850001 E-mail: k...@wavecom.ee Skype: kristian.liivak http://www.wavecom.ee http://www.facebook.com/wavecom.ee ----- Original Message ----- From: "Daan Hoogland" <daan.hoogl...@gmail.com> To: "users" <users@cloudstack.apache.org> Cc: "dev" <d...@cloudstack.apache.org> Sent: Monday, January 15, 2018 1:49:04 PM Subject: Re: [DISCUSS] Freezing master for 4.11 Kristian, On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <k...@wavecom.ee> wrote: >> > ... As for this one: > Also there is major security hole. When instance is destroyd and expunged >> > and new instance is created with old IP all old data is unaffected in VR >> > New instance will get then old root password and ssh key if they were >> > present in VR >> > I don't see how this is a security issue. The user won't get in and update the key and password to get in. No harm done or am I overlooking something? -- Daan
