As I said I grant the trade off is debatable but the value of not having passwordless root on the console is non-zero. I am coming around to the view that the security delta is small and the convenience delta is high. On Thu, Dec 13, 2018 at 09:39:30PM +0000, Jeremy Stanley wrote: :On 2018-12-13 22:21:54 +0100 (+0100), Thomas Goirand wrote: :> On 12/13/18 11:28 AM, Bastian Blank wrote: :> > On Mon, Dec 10, 2018 at 09:13:59AM -0500, Jonathan D. Proulx wrote: :> >> As a private cloud operator it may be useful for me to have privileged :> >> console access to all my users' VMs but it's not a good line to break by :> >> default. :> > :> > As operator you have by definition all access. :> :> A customer could setup hard drive encryption, in which case I would have :> zero access. : :How are they supplying the decryption key if not through channels :under your control to sniff/MitM and then reuse to decrypt it :yourself? Not to mention the key has to be in kernel memory, which :you can dump from the hypervisor you manage. This again assumes a monolithic bad actor. Either the provider being systemically bad or the bad actor having full access at all levels. A support tech may have access to network consoles via some API but not the physical hypervisor. Or an outside attacker may gain access to the network serial consoles but not the hypervisors. I managed to screw this up early on and expose a subset of vncconoles to the internet. In these cases if there's no password they have access to the running VM in all it's decrypted glory. The obvious attack here is to reboot and tweak boot settings to init=/bin/sh or something which is often possible. That could be mitigated with boot loader or bios settings that make that harder to get and requiring interactive decryption would thwart this attack (though programaticly encrypted volumes would presumably be programatically decrypted) requiring hands on to type LUKS passwords on boot isn't very "cloudy" so anyone going that step of paranoid can reasonably be expected to take other non-default steps as well. So perhaps the only practical advantage is that a system reboot is a louder signal than a console login and more likely to be in the default set of things people alarm on. -Jon :I can understand, as a long-time systems administrator myself, that :there is a guttural knee-jerk reaction to having root access on a :serial line or local console with no authentication, but in the case :of virtual machines I just remind myself that if you can't trust the :operators of the environment then you can't trust the workloads you :put there either (much like unmonitored physical access to colocated :machines). :-- :Jeremy Stanley --
Attachment:
signature.asc
Description: PGP signature