stabeek
2010-Oct-12 10:39 UTC
[Xen-users] special passwords for xenserver direct console, could it be?
Hi, Would appreciate any comments on the following scenario. Thanks in advance. I''m a newcomer to xen and have received a machine with several VMs running on it. I also have the root passwords to the VMs at keast one of which I can log into as root via ssh. I can also connect a keyboard and screen directly to the machine and I get a XenServer Management console coming up in ncurses style. However the root password I use for ssh is rejected by this Mgmt console when I select and request login into the machine I just ssh''d into. The possibility of the Xenserver Mgmt console needing a different typoe of root password is not impossible (i''m new to xen, so I tend to expect and believe anything), but at the same time it not hugely conventional. Having two types of "root passwords" ... well ... I suppose one could get used to it, but it will cause not a little confusion. I decided that it can''t be, so I checked and re-checked my typing and the keyboard to make sure it enters what I typed. One thing this Mgmt console can''t do is allow non-root access. You overwrite the UID part (it allows you to overwrite "root") and you ente a valid username for the VM in question, and it says "only root can log in here" or something to that effect. Grateful for any comments. Many thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Craig Miskell
2010-Oct-12 19:37 UTC
Re: [Xen-users] special passwords for xenserver direct console, could it be?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 stabeek wrote:> Hi, > Would appreciate any comments on the following scenario. Thanks in advance. > I''m a newcomer to xen and have received a machine with several VMs > running on it. I also have the root passwords to the VMs at keast one of > which I can log into as root via ssh. > I can also connect a keyboard and screen directly to the machine and I > get a XenServer Management console coming up in ncurses style. > However the root password I use for ssh is rejected by this Mgmt console > when I select and request login into the machine I just ssh''d into. > The possibility of the Xenserver Mgmt console needing a different typoe > of root password is not impossible (i''m new to xen, so I tend to expect > and believe anything), but at the same time it not hugely conventional. > Having two types of "root passwords" ... well ... I suppose one could > get used to it, but it will cause not a little confusion. > I decided that it can''t be, so I checked and re-checked my typing and > the keyboard to make sure it enters what I typed. > One thing this Mgmt console can''t do is allow non-root access. You > overwrite the UID part (it allows you to overwrite "root") and you ente > a valid username for the VM in question, and it says "only root can log > in here" or something to that effect. > Grateful for any comments. Many thanks.Hi, This is quite normal. The host running the XenServer Mgmt console is a much more trusted server than the guests; in essence, connecting through the host gives you full access to the guests. The reverse is not true. So, in some scenarios that may be a large part of the design (untrusted guests under the control of non-local people), where having the same root password would be inadvisable. You are quite entitled to set the root password on the management console to be the same as the guests, but there''s no connection between them, by design. - -- Craig Miskell Senior Systems Administrator Opus International Consultants Phone: +64 4 471 7209 Real programmers program by whistling down the MIC IN port of a ZX80. - Adrian Millett -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAky0uRQACgkQmDveRtxWqnY6MACgoKqXXNSXmBDzn9bIibeSqN79 x0oAoLLX/+CCwBN1F2BTg5bnqx2h6fq7 =H20z -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
stabeek
2010-Oct-13 14:13 UTC
Re: [Xen-users] special passwords for xenserver direct console, could it be?
Many thanks Craig for your answer. I got enlightened to a fact from the reply: that though XenServer Mgmt Console might seem to ask for the root password of a VM, by virtue of being in the List VirtualMachines part of the menu-tree, it in fact wants the same XenServer Mgmt root password, not the VM root PWD. The upshot being that having the root passwords of the individual VMs is only part of the admin access, and that the Xenserver root password is just as, maybe even more, important. Well, I am not in that position, so I must consider restting the password as per this link. http://xtravirt.com/how-reset-root-password-citrix-xenserver-5 By way of conclusion (unless anybody corrects/contradicts), that would appear to be the best course of action. Cheers! Craig Miskell writes:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > stabeek wrote: >> Hi, >> Would appreciate any comments on the following scenario. Thanks in advance. >> I''m a newcomer to xen and have received a machine with several VMs >> running on it. I also have the root passwords to the VMs at keast one of >> which I can log into as root via ssh. >> I can also connect a keyboard and screen directly to the machine and I >> get a XenServer Management console coming up in ncurses style. >> However the root password I use for ssh is rejected by this Mgmt console >> when I select and request login into the machine I just ssh''d into. >> The possibility of the Xenserver Mgmt console needing a different typoe >> of root password is not impossible (i''m new to xen, so I tend to expect >> and believe anything), but at the same time it not hugely conventional. >> Having two types of "root passwords" ... well ... I suppose one could >> get used to it, but it will cause not a little confusion. >> I decided that it can''t be, so I checked and re-checked my typing and >> the keyboard to make sure it enters what I typed. >> One thing this Mgmt console can''t do is allow non-root access. You >> overwrite the UID part (it allows you to overwrite "root") and you ente >> a valid username for the VM in question, and it says "only root can log >> in here" or something to that effect. >> Grateful for any comments. Many thanks. > Hi, > This is quite normal. The host running the XenServer Mgmt console is a much > more trusted server than the guests; in essence, connecting through the host > gives you full access to the guests. The reverse is not true. So, in some > scenarios that may be a large part of the design (untrusted guests under the > control of non-local people), where having the same root password would be > inadvisable. > > You are quite entitled to set the root password on the management console to be > the same as the guests, but there''s no connection between them, by design. > > - -- > Craig Miskell > Senior Systems Administrator > Opus International Consultants > Phone: +64 4 471 7209 > Real programmers program by whistling down the MIC IN port of a ZX80. > - Adrian Millett > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAky0uRQACgkQmDveRtxWqnY6MACgoKqXXNSXmBDzn9bIibeSqN79 > x0oAoLLX/+CCwBN1F2BTg5bnqx2h6fq7 > =H20z > -----END PGP SIGNATURE-----_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users