[CentOS-devel] password ssh-ing in Centos/7 Vagrant box

Thu Oct 6 18:30:31 UTC 2016
Laurențiu Păncescu <lpancescu at gmail.com>

Hi Rafal,

On Thu, Oct 6, 2016 at 5:57 PM, Rafal Skolasinski <r.j.skolasinski at gmail.com
> wrote:

> Thanks for detailed information! I am using playbooks to create vms on a
> remote host and then I want to run another playbook to configure them.
>

For me, the most amazing feature of Vagrant was to be able to use just one
Vagrantfile to control both local development VMs, to production servers,
and to change from one to the other with just one command. There are
Vagrant plugins for pretty much every provider with an API: big "cloud"
providers like AWS, Google Cloud or Azure, VPS hosters like Digital Ocean,
Vultr or Linode, and also other cloud solutions like OpenShift, OpenStack
and CloudStack. You can also use the libvirt plugin with both local and
remote servers, it comes with plugins for most virtualization providers and
Docker, and there's even a plugin for dedicated servers (when there's no
API for controlling their creation and destruction). Being able to do:

vagrant up --provider virtualbox
vagrant up --provider aws
vagrant up --provider digitalocean

and move seamlessly between providers, provisioning everything with
Ansible, is just priceless. I wouldn't go back to plain Ansible and writing
dynamic inventory scripts.


> I want to enable password authentication only for a moment of initial
> configuration and then disable it again - I believe this should[n't] cause
> any security risk.
>

The risk is small, but not zero. If someone's script hits your server in a
critical moment, your server becomes his.  This is not just theoretical:
during Blaster (a Windows worm), a former colleague had installed Windows
2000 more than 12 times, and went directly to download the hotfix from
Microsoft, which took less than a minute - and got infected every single
time. And I've heard people complaining about getting hacked in the first 5
minutes after imaging a new Linux VPS, before they had the time to disable
password logins (they had chosen their own passwords - apparently not that
unique). But that's for you to decide - good luck! :)

Best regards,
Laurențiu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20161006/97414b84/attachment-0008.html>