799778 - Create a framework to reset passwords automatically from various interfaces

Status: RESOLVED WONTFIX

(Cloud Services :: Operations: Miscellaneous, task)

Description

[Guillaume Destuynder [:kang] [this account is no longer active]]

We need a framework with pluggable modules to reset passwords from various interfaces.

Different services have different ways to change passwords, hence the modular approach.

The framework and modules/plugins must be rigorous and record the password state before and after change, and fail if the state hasn't changed. The checks are very important, not only security wise, but also because changing passwords without properly recording them can make accessing 1000 machines with an unknown password login, hell.

Example modules:
- change password or password hash in puppet's secret module
- change password in a web ui, via HTTP requests
- same, via JSON,XML,etc.
- change via SSH/Shell commands
- etc.

It's probably a good idea to have a command line tool for this, that takes the type and address as parameter, so that this tool can be called with large list of ips externally (else, it has to also include the logic for reading list of ips with corresponding services)

It would also be a good idea to include the password generator, and saving mechanism (in a gpg'd text file would be fine, ready to commit to svn). Passwords can generated from random resources, for example via "openssl rand -base64 32", or by reading /dev/random.

Note that this has been discussed with :gene, and is neither a request or goal.

However, this framework would help us all as it makes resetting all or a set of password fast and simple (while right now, its borderline impossible due to the amount of systems/complexity of the uis)

Finally, note that if there is any good prior art or suggestions here, it'd be welcome.

Comment 1

[Gene Wood [:gene]]

This would be very useful. It isn't currently taking priority over other work. Feel free to lobby for this being a priority and we can open it back up. For the time being I think this goes on the back burner.

Comment 2

[Gene Wood [:gene]]

Including content from duplicate ticket Bug 813342:

As discussed, this is a bug to track the features & other things related to the password change API.
What is it?
--
A framework with modules, which allow changing passwords set on different devices (via telnet, ssh, web pages, etc.) automatically, "en masse".
We should also be able to change usernames if necessary.
What does the process look like?
--
The password change mechanism should be very reliable, as a failure may revoke our access to a device.
* the tool must be initiated manually (key or password require to open the password file), the change all the desired password automatically (by type, ip range, etc.)
* check before changing the passwords, that the interface is up, if not, report the error.
* attempt to login to the interface, if it fails, report the error.
* generate a random, secure password. The type of password should be set in the module (length, allowed characters)
* save the password in a secure database
** check how are we defining "secure database"
* attempt to change the password (using a safe mechanism if available, such as transactions) to the new password, if it fails, report the error.
* attempt to login again with the new password. if it fails, report the error.
Upon completion, the passwords should be deleted from memory (ram) and only kept encrypted. The host/server should not be able to decrypt the file without user interaction (or possibly, the user also upload the file)
What should the API/Framework provide?
--
* password generator with optional length, allowed character. Must use true random. (/dev/random)
* Password encryption/decryption (gpg is fine)
* Ready to use module templates, or helper functions, for common interfaces (telnet, ssh, html probably)
* If possible: Ability to wipe data from memory and make sure its only retaining in ram (such as mlock() ) - python does not support this
Note: the lists above are non-exhaustive