Do not send root password by email.
When creating a new cloud server the root password is displayed in the ssl secured control panel. Good, everything we need to get started.
However, an email is also sent to the user containing the new root password and ip address. Bad, everything a scriptkiddie/cracker needs to get started, sent over public email.
When discussing this with support, (3 times, first about a year ago.) I am told that I should be using an email address I control and that this is a temp password that should be changed ASAP. I know this already, and do; but I worry for customers that do not know this. That warning is not in the 'new cloud server' email or in the interface.
I'm also worried that I'm not changing it fast enough.
If I was a root kit, I would look for your emails and install immediately. I can not prove this is not already happening.
Can we please have a simple "Your cloudserver is ready, For security, please change your password..." email, if at all.
Please change ASAP.
(I am usually a very happy customer, THANKS! But I'm frustrated that I have to post this here and try to rally support for good security practices.)
JTxt
shared this idea
We are in the process of implementing this change.
18 comments
-
JTxt
commented
Dear Rackspace.
Ok, it's been 6 months since you said you're in the process of implementing this change. Can you please share your progress with us?
Thanks! -
Terry Coley
commented
New customer here... just provisioned a Windows Cloud Server. Was told the password would be emailed to me. OK - that's bad.
Worse: email contains the full IP address as well as Username/Password. In other words, everything a hacker needs.
Did I mention: new server comes up with Remote Desktop OPEN to all foreign IP addresses?
Really - this is embarrassingly far outside of the best practices I'm expecting from Rackspace.
-
MeatMuppet
commented
This can't be such a hard issue to fix?
We're looking for a large enough provider as an alternate to Amazon. This is a deal-breaker for us.
-
acgann
commented
The problem being that the current method of showing the root password is to have it display very briefly in the console. It is very easy to miss.
-
dkamins
commented
I'm a relatively new Rackspace Cloud Server user. I just submitted this issue as a ticket, assuming it was something new. I can't believe this has been happening for a year already!
I wouldn't be surprised at all if a decent number of RS Cloud Servers are already sporting rootkits. Hopefully no hackers are clever enough to escape the sandboxes of the VM slices and attack the host servers themselves. They've certainly had time to try though.
The response I got on my ticket was the same as on this issue: "We are in the process of implementing this change". I really hope this is fixed soon. It seems like an easy first step would be to simply disable the e-mails, or at least have an option (defaulting to off) at server creation time to send such an e-mail.
-
$codemaster
commented
Also, goes hand in hand with this: if it is absolutely necessary to email the administrator passwords to a customer, send it with the customer's Public PGP Key.
Provide an option in the control panel to:
a) Disable plain-text administrator password emails.
and/or
b) Upload Public PGP Key to be used when sending the Administrator password.
This, I must say, is the strangest thing to have such a good company like Rackspace sending plaintext root passwords around.
-
RS
commented
At last! Thanks to all for keeping this thread active.
-
Justin
commented
I just noticed that the status of this is now marked as "started". Thank you RS!
-
Justin
commented
I asked over a year... just tried again... same answer:
Thank you for your patience. A representative will be with you shortly..
Welcome to the Rackspace Cloud! My name is Josh W, how may I help you?
Josh W: hello and how may I assist you
Justin: How do I disable the automatic emailing of the root pw in cleartext when I create a VM? Obviously I change it immediately, but it's annoying that what is supposed to be a secure service requires sending the initial pw over SMTP....
Josh W: I do not believe it is possible to turn that feature off
Josh W: one thing you can do to voice your opinion is submit that requestin feedback.rackspacecloud.com
Justin: will do, thanks! -
Russ
commented
In general why not implement keys the way amazon does at least for the linux side?
-
Russ
commented
In general why not implement keys the way amazon does - at least on the linux side?
-
Flavio
commented
This is simply unbelievable. I thought there was some configuration to stop this nonsense only to find out that they can't possibly do this. In my opinion, password should not even be used - I usually set up a /root/.ssh/authorized_keys2 personality with the public half of my ssh key and skip password completely. But anyway, in no reasonable universe sending this password by email is acceptable.
-
Cory
commented
To pile on here, even if you follow those best practices "an email you control" isn't always a permanent situation. You can lose control of an email address without knowing it, due to a number of causes, some controllable (vulnerability to DNS spoofing, missed paying a bill) and some not (ISP goes under unexpectedly). During the gap, rackspace is sending your passwords to a third party.
If you need the API automation, I recommend building a tool that creates the server, and then automates an SSH connection to change the password.That's what I'm doing.
-
Shaun Turner
commented
Spoke to one of your rackspace guys in chat he said
"unfortunately there is no way to suppress the plaintext emails from being emailed out. Our general advice is that setting the password through the API or control panel should really only be used for temporary access until the password can be changed from within the server."To me it seems that the whole point of the API is to allow you to start and stop servers without human interaction, the purpose of this is greatly undermined by having to have us log in to the server to change the password every time a new server starts.
Please can you resolve the issue
Many thanks,
Shaun Turner
-
JTxt
commented
Ok, I found the chat transcripts and removed their names, but still, not sure I should post them, even through support was very helpful.
Here's the dates at least:
2/2/2010,
10/19/2010(twitter),
10/20/2010(talked on phone, He suggested that I post here.),
11/15/2010.I'm surprised this is still not addressed. Please fix this!
-
David K. Storrs
commented
Hear, hear! This is Utter Basics of Security 101. I've just signed up, but so far everything else about Rackspace is great, so I was floored to see this....and even more floored that this issue has clearly been around for AT LEAST 7 months, based on the datestamps in the comments (OP says "over a year"!!) For reference of future posters, today is 2011-05-26.
Really guys, how hard is it to change this?
David K. Storrs
-
RS
commented
Please Rackspace, never send passwords in emails - it is a really bad idea.
This issue, and the fact your support team were able to tell me my account password over the phone(!), make your security measures too weak to consider your cloud services for business use. -
acgann
commented
Agreed. At least if it's displayed on the screen (only the first time) you can be assured it's getting transmitted via SSL. And it would have to be actually available on the screen. How many times when rolling a new site does the root pw flash up and then it's gone forever before you catch it? :P
