sexigraf icon indicating copy to clipboard operation
sexigraf copied to clipboard

Published 20 hours ago verified publisher icon sexibytes

VMware Appliance (OVA) enhancements

Open tsugliani opened this issue 11 months ago • 4 comments

Hi gents,

It would be amazing to add to the available ovf properties, the ability to setup the appliance root password AND setup a ssh key too. (if those are not set, just use the current default password so it doesn't change the current behavior)

This feature is provided by many appliances these days, and would be a great addition :-)

I do this on my packer templates too for reference: https://github.com/tsugliani/packer-alpine

OVF properties: https://github.com/tsugliani/packer-alpine/blob/main/files/customization.sh#L32-L33 Related Code: https://github.com/tsugliani/packer-alpine/blob/main/files/customization.sh#L85-L96

Thanks in advance,

tsugliani avatar Mar 16 '24 18:03 tsugliani

Hi Timo, thanks for your feedback. We can add this feature for sure ;)

rschitz avatar Mar 16 '24 18:03 rschitz

@tsugliani i'm not confortable keeping password and ssh keys in the ovf props like in this exemple: image What's your feeling on this?

rschitz avatar Mar 16 '24 19:03 rschitz

Password is not shown in vCenter UI/API, with the ovf:password="true" setting in the OVF envelope for this property (only way to fetch it would be to access the VC DB, but at that stage, you are already compromised pretty badly)

For the ssh public key, that is meant to be public, so not sure why that is a problem ?

You could use the same setting as the password above for the ssh key so it doesn't appear in the UI/API if that feels like an issue.

Even GitHub/GitLab shares your public keys, for example my registered one is here:

❯ curl https://api.github.com/users/tsugliani/keys
[
  {
    "id": 71752143,
    "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCkr56eYkjAN7cgXKHl65kismGjXEghO5ECb9vnmpoeer+1MpdpLI7DsPr76wDWTtRMcKWlJYJ3+tvXKSr5zAupWgyASPA2vaDA/H6HXicM8VjQSNsb3zsx8qVoXZCkbM3sTxjR2GMAXuiuihH3G2MY2qVaCWqea5RQ9QDnSiuRDlUXoGp/FKbhl+iEZ/rs5X2FDm84jU6VPNVzutgog/NE2CRn4S8pc6xWyFtd1jaezgUi7rbK+6NnkfUeQxsjPsexniagco97ZZNDwGVqxhe2uOMjbZcg6leEguwQgm7+Kj8+/nFfjH+senoM8B41dr9vpk32llgJEKIXv1a+3L7qz/FDZi+bYWIZPTr0d4mMF6Js24kBfhAx+T608603opWKma4sGu0eW/a7z3fptOBYpBQkEw8GVuDGQGyP3kOR68ObKEJkSFKZfHmiGIAJBXHUnN4Y5WVvKL7YpU3KpKakDe8o0aTuxFT7fanZt7o2aBtAkkaUAkDXNa52JJY9OZm9sX9yON4OeoM9H/H7so2M8liVQVC6DyAnRtX5fHDvP4sk9xMbJzjaBom9bCXp27Mj6DAh4VLTpxRx6/KEPKL/BjSbxYR00w4bIYNK0Xkf+kKBwsuSDz8D/opKGJQrjbFkpgMucxnMOpJ/ggj5L963GGoMFX7xpqtwjJU4eDNaQ=="
  },
  {
    "id": 84987101,
    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID5P8euZ0NGqx4xtaL/cV3f45KD2p5mbz29I8wUFAhUv"
  }
]

Hope this makes sense.

tsugliani avatar Mar 17 '24 16:03 tsugliani

Didn't know about the hidden password setting and you're right we dont care about public keys, i'm too paranoid :D Thanks

rschitz avatar Mar 17 '24 21:03 rschitz